Snort mailing list archives
odd alert and ip src+dst
From: Orlando <xbud () g0thead com>
Date: Sat, 27 Jul 2002 02:17:37 -0500
=-=-=-=-=-=-=-=-=-= Jul 26 22:40:50 natas snort[23330]: [1:522:1] MISC Tiny Fragments [Classification: Potentially Bad Traffic] [Priority: 2]: {PROTO105} 111.100.101.101 -> 110.64.103.105 Unusual System Events =-=-=-=-=-=-=-=-=-=-= Jul 26 22:41:33 natas snort[23330]: [!] WARNING: TCP Data Offset 2 < 5 Jul 26 22:40:50 natas snort[23330]: [1:522:1] MISC Tiny Fragments [Classification: Potentially Bad Traffic] [Priority: 2]: {PROTO105} 111.100.101.101 -> 110.64.103.105 this was on an internal network, a relatively small internal network and no traces of a breach were found anywhere. no internal machines were scanned, and no arp requests from any unknown MAC addresses were discovered. I'm wondering if this is a bug in snort? and If anyone else has encountered this problem ? the internal network consists of an Irix box , 2 linux servers, one Linux gateway , an access point and 2 workstations, 1 NT and 1 XP. An internal and IDS was placed because of the AP, but the key is 128 bit wep, and changed every 6 days or so. yes we are a bit paranoid : ) if you respond CC me please, I'm not subscribed to the list. snort box debian 2.2r3 latest patches. snort 1.8.7 default sigs. options are -dve -D -s -l <dir> -c snort.conf (slightly modified from default) -- ------------------------------ Orlando Padilla http://www.g0thead.com/xbud.asc 'A woman drove me to drink and I didn't even have the courtesy to thank her' -wa ------------------------------ ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- odd alert and ip src+dst Orlando (Jul 27)