[Snort-users] Question, probably really simple, but a question nontheless
alex.kirk at ...1935...
Fri Oct 7 11:13:30 EDT 2005
Definitely not a dumb question. Basically, these alerts are generated
when TCP packets with an invalid length are received. The four bits in a
standard TCP header which begin at byte 13 -- i.e., directly after the
acknowledgement number -- specify the data offset, otherwise known as
the TCP header length (the length of the header is equivalent to the
offset into the IP payload where the TCP payload begins, thus the two
names). Since a TCP header must be at least 20 bytes, Snort generates an
alert for packets whose reported length is less than this. Note that
this header length is given in terms of 32-bit words, so the actual
value in the packet must be multiplied by 4 in order to get a value in
All that said, it's unusual to see an IP address that ends in a .0. This
makes me wonder if there's some sort of misconfiguration somewhere, or
if something else strange is going on. Can you send PCAPs of this
traffic, or even hex dumps (PCAPs being preferable)? Being able to see
the actual packet would be a huge help in terms of determining whether
this is something you need to care about.
 http://www.freesoft.org/CIE/Course/Section4/8.htm has a good diagram
of this that even labels the area as "Data Offset."
 Stevens, Richard W.: TCP/IP Illustrated, Volume 1, p. 226.
> First off a little background with me. At the office, I'm pretty much
> the only one with Unix/Linux experience and my boss watned me to set
> up snort to monitor traffic in basically areas that we would normally
> delete the traffic. Things that I am not good with, are TCP packet
> information (but I am learning). So bear with me if the questions are
> really easy ones to answer.
> I have noticed from the Snort dialy reports that I have been getting a
> lot more of the following warnings
> 95 22.214.171.124 126.96.36.199 (snort_decoder) WARNING: TCP
> Data Offset is less than 5!
> Obviously the number (95 in this case) changes and the destination IP
> varies, but it is always 64.7.xxx.0. Should I be concerned about this
> increase (which is always from the same source)? What does this Offset
> mean and why is less than 5 so important to note? Any help would be
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users