[Snort-users] Question, probably really simple, but a question nontheless

Alex Kirk alex.kirk at ...1935...
Fri Oct 7 11:13:30 EDT 2005


Definitely not a dumb question. Basically, these alerts are generated 
when TCP packets with an invalid length are received. The four bits in a 
standard TCP header which begin at byte 13 -- i.e., directly after the 
acknowledgement number -- specify the data offset, otherwise known as 
the TCP header length[1] (the length of the header is equivalent to the 
offset into the IP payload where the TCP payload begins, thus the two 
names). Since a TCP header must be at least 20 bytes, Snort generates an 
alert for packets whose reported length is less than this. Note that 
this header length is given in terms of 32-bit words, so the actual 
value in the packet must be multiplied by 4 in order to get a value in 
bytes. [2]

All that said, it's unusual to see an IP address that ends in a .0. This 
makes me wonder if there's some sort of misconfiguration somewhere, or 
if something else strange is going on. Can you send PCAPs of this 
traffic, or even hex dumps (PCAPs being preferable)? Being able to see 
the actual packet would be a huge help in terms of determining whether 
this is something you need to care about.

Alex Kirk
Research Analyst
Sourcefire, Inc.

[1] http://www.freesoft.org/CIE/Course/Section4/8.htm has a good diagram 
of this that even labels the area as "Data Offset."
[2] Stevens, Richard W.: TCP/IP Illustrated, Volume 1, p. 226.

> First off a little background with me. At the office, I'm pretty much 
> the only one with Unix/Linux experience and my boss watned me to set 
> up snort to monitor traffic in basically areas that we would normally 
> delete the traffic. Things that I am not good with, are TCP packet 
> information (but I am learning). So bear with me if the questions are 
> really easy ones to answer.
> I have noticed from the Snort dialy reports that I have been getting a 
> lot more of the following warnings
> 95       (snort_decoder) WARNING: TCP 
> Data Offset is less than 5!
> Obviously the number (95 in this case) changes and the destination IP 
> varies, but it is always 64.7.xxx.0. Should I be concerned about this 
> increase (which is always from the same source)? What does this Offset 
> mean and why is less than 5 so important to note? Any help would be 
> great.
> Thanks,
> Kevin
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads, discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list