[Snort-users] Snort 2.8.6 generatin invalid ip options in events?

Joel Esler jesler at ...1935...
Fri Jun 4 14:48:13 EDT 2010


Is this a dump out of the database or something?

--
Joel Esler
Sent from my iPhone

On Jun 4, 2010, at 2:33 PM, "Andy Berryman" <aberryman at ...14765...>  
wrote:

> I'm having an issue with snort 2.8.6 that I have really no clue on  
> how to even start trying to figure out. So, besides Google, you guys  
> are my first hope.
>
>
>
> I'm getting events from snort that have invalid ip options in the  
> event. Hoping someone can point me in the right direction on how/ 
> where to start.
>
>
>
> Here's the event.
>
>
>
> iphdr:1406410883,3436490497,4,15,0,264,44627,0,0,26,1,12955
>
> ipopt:0,0,1,0,
>
> ipopt:1,0,7,37,KAoBZQTCsdFOw/sbIcP7G5o+KHxaPihwpkDWkZJA18PRkOgJpg==
>
> icmphdr:8,0,19178
>
> data:VVJMOmh0dHA6Ly9pcGxhbmUuY3Mud2FzaGluZ3Rvbi5lZHUvcGxfbWVhc3VyZW1lbnQuaHRt
 

>
> bCBDb250YWN0OmlwbGFuZS1zdXBwb3J0QGNzLndhc2hpbmd0b24uZWR1AAAAAAAAAAAAAAAA
 

>
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 

>
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
>
>
>
> Thanks,
>
> Andy Berryman
>
>
>
> This message from Cymtec Systems, Inc. contains confidential  
> information and is solely for the use of the recipient(s) named   
> above. If you are not the intended recipient or an agent responsible  
> for delivering it to the intended recipient, you are hereby notified  
> that you have received this message in error and that any review,  
> disclosure, copying, distribution or use of the contents of this  
> message is strictly prohibited. If you have received this message in  
> error, please destroy it immediately and notify Cymtec Systems, Inc.  
> by telephone at +1.314.993.8700 or by return e-mail.
>
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> ThinkGeek and WIRED's GeekDad team up for the Ultimate
> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
> lucky parental unit.  See the prize list and enter to win:
> http://p.sf.net/sfu/thinkgeek-promo
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100604/c60ee987/attachment.html>


More information about the Snort-users mailing list