[Snort-users] Question, probably really simple, but a question nontheless

Kevin Smith kjsmith at ...13166...
Fri Oct 7 08:28:51 EDT 2005

First off a little background with me. At the office, I'm pretty much the only one with Unix/Linux experience and my boss watned me to set up snort to monitor traffic in basically areas that we would normally delete the traffic. Things that I am not good with, are TCP packet information (but I am learning). So bear with me if the questions are really easy ones to answer. 

I have noticed from the Snort dialy reports that I have been getting a lot more of the following warnings

95       (snort_decoder) WARNING: TCP Data Offset is less than 5!

Obviously the number (95 in this case) changes and the destination IP varies, but it is always 64.7.xxx.0. Should I be concerned about this increase (which is always from the same source)? What does this Offset mean and why is less than 5 so important to note? Any help would be great. 


More information about the Snort-users mailing list