I've seen similar from a number of sites. You might want
to run the packets through ethereal or tcpdump or similar
to verify it, but the ones I've investigated have ended up
being ECN packets - seems snort isn't yet smart enough to
understand the ECN extensions to TCP...
tw
On 08/29/2001 01:50 +0100, Dale Amon wrote:
>> Any one have an idea why I'd be getting these snort alerts
>> from vger mail transactions?
>>
>> [**] [111:4:1] spp_stream4: WINDOW VIOLATION detection [**]
>> 08/27-01:01:27.806453 199.183.24.194:45473 -> 194.46.0.61:25
>> TCP TTL:49 TOS:0x0 ID:25963 IpLen:20 DgmLen:74 DF
>> ***AP*** Seq: 0x3DFC914F Ack: 0xC8CF2D66 Win: 0x16D0 TcpLen: 32
>> TCP Options (3) => NOP NOP TS: 137819194 96190743
>>
>> --
>> ------------------------------------------------------
>> Use Linux: A computer Dale Amon, CEO/MD
>> is a terrible thing Village Networking Ltd
>> to waste. Belfast, Northern Ireland
>> ------------------------------------------------------
>> -
>> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>> Please read the FAQ at http://www.tux.org/lkml/
End of included message
-- twalberg@mindspring.com
This archive was generated by hypermail 2b29 : Fri Aug 31 2001 - 21:00:32 EST