Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: MISC IP Reserved bit set

From: "Miller, Toby" <ToMiller () USAID GOV>
Date: Tue, 9 Oct 2001 10:57:30 -0400
The reserved bits have nothing to do with the PSH or URG flags. It can
be one of two things:

1) Crafted packet. Queso sets these bits when it scans.

2) ECN. Explicit Congestion Notification. RFC 3168, 2884 and 2481 I also
wrote a paper on ECN, you can find that at securityfocus under IDS.

        
Toby

On Tue, 9 Oct 2001, Jean Michel BARBET wrote:


I have used snort for about 2 months now and it is an unvaluable tool
both for auditing your network and for learning.

Yesterday I got a bunch of :

[**] [1:523:1] MISC IP Reserved bit set [**]
10/08-11:10:29.567869 EXTERNAL_NET -> HOME_NET
PROTO204 TTL:153 TOS:0x0 ID:153 IpLen:12 DgmLen:200

(I replaced the real addresses by EXTERNAL_NET and HOME_NET)
I got more than 6000 of these within 3 hours, then it stopped...
There are many different sources and targets.

I run snort V1.8 :
Version 1.8-RELEASE (Build 43)
By Martin Roesch (roesch () sourcefire com, www.snort.org)

=> Could somebody explain to me what are these alerts ?


It means that there were some of the reserved bits set on some packets
coming
into your net.  I'd guess either URG or PSH.  Have a look at W. Richard
Stevens book TCP/IP Illustrated, Volume 1--The Protocols on p. 227 for a
list.
Section 17.3 explains much better than I what they are used for.  The
question
you must figure out is 'Why?'  That's not a normal thing for many nets.
You
should look at the packet payload and see if it looks 'odd' on some of
those...


Also I am running two different versions of snort on two slightly
different machines on the same mirrored port of a switch.  These are

V1.7

and the already mentioned V1.8-build 43.

Both of them are dumping core about once a week.

V1.7 runs on Linux RedHat 7.0, Kernel : 2.2.16-22
V1.8 runs on Linux RedHat 7.0, kernel : 2.2.19-7.0.8


First off, I'd suggest upgrading to 1.8.1-RELEASE on both boxes.  1.8.1
has
quite a few changes for stability.  If you do that, your problems might
go
away.


=> Any idea of what is making snort crash ? Can I help by sending
   a core file ?


Read the BUGS file and follow those instructions instead.  :)  It's got
a set
of steps for you to follow.  Once you do that, we really don't need a
core
file sent to the list.

Hope this helps!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: