Snort mailing list archives
Re: Question, probably really simple, but a question nontheless
From: Alex Kirk <alex.kirk () sourcefire com>
Date: Fri, 07 Oct 2005 14:11:50 -0400
Kevin,Definitely not a dumb question. Basically, these alerts are generated when TCP packets with an invalid length are received. The four bits in a standard TCP header which begin at byte 13 -- i.e., directly after the acknowledgement number -- specify the data offset, otherwise known as the TCP header length[1] (the length of the header is equivalent to the offset into the IP payload where the TCP payload begins, thus the two names). Since a TCP header must be at least 20 bytes, Snort generates an alert for packets whose reported length is less than this. Note that this header length is given in terms of 32-bit words, so the actual value in the packet must be multiplied by 4 in order to get a value in bytes. [2]
All that said, it's unusual to see an IP address that ends in a .0. This makes me wonder if there's some sort of misconfiguration somewhere, or if something else strange is going on. Can you send PCAPs of this traffic, or even hex dumps (PCAPs being preferable)? Being able to see the actual packet would be a huge help in terms of determining whether this is something you need to care about.
Alex Kirk Research Analyst Sourcefire, Inc.[1] http://www.freesoft.org/CIE/Course/Section4/8.htm has a good diagram of this that even labels the area as "Data Offset."
[2] Stevens, Richard W.: TCP/IP Illustrated, Volume 1, p. 226.
First off a little background with me. At the office, I'm pretty much the only one with Unix/Linux experience and my boss watned me to set up snort to monitor traffic in basically areas that we would normally delete the traffic. Things that I am not good with, are TCP packet information (but I am learning). So bear with me if the questions are really easy ones to answer. I have noticed from the Snort dialy reports that I have been getting a lot more of the following warnings95 61.133.3.47 64.7.160.0 (snort_decoder) WARNING: TCP Data Offset is less than 5!Obviously the number (95 in this case) changes and the destination IP varies, but it is always 64.7.xxx.0. Should I be concerned about this increase (which is always from the same source)? What does this Offset mean and why is less than 5 so important to note? Any help would be great.Thanks, Kevin ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question, probably really simple, but a question nontheless Kevin Smith (Oct 07)
- Re: Question, probably really simple, but a question nontheless Alex Kirk (Oct 07)
- <Possible follow-ups>
- Re: Question, probably really simple, but a question nontheless Alex Kirk (Oct 07)