Snort mailing list archives
Truncated TCP Options
From: Paul Schmehl <pauls () utdallas edu>
Date: 27 Jul 2003 15:58:03 -0500
I got a bunch of these today, so I did some research on them, including the mailing list archives and the RFCs. Can't say I *fully* understand them, and a question has arisen that I need an answer to. In looking at the ACID display of these alerts, I noticed that there *is* an options field displayed, but it's empty (it actually reads "none"). Is this a problem with ACID not parsing the data correctly? (I assume that's the most likely cause.) Or is snort not reporting the options even though it detects that there's a problem with them? Another thing that I noticed is that the src is one of our web servers and the dest is the same address for over 8700 of the alerts. Anyone want to speculate as to what the cause might be? The server is a Solaris box running Apache, and I'm sure it's not misconfigured. Could a bad request from a client cause this kind of alert? -- Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort on W2k + Flexresp + stealth Boisvert, Mario (Jul 10)
- Re: Snort on W2k + Flexresp + stealth Rich Adamson (Jul 10)
- Truncated TCP Options Paul Schmehl (Jul 27)