I have a small network of PC's connected to a switch, the switch connects to the internal NIC in the box with Untangle, the Untangle box connects to the UTM/router via the external NIC and the UTM connects to the DSL modem.
I started getting a ton of entries like below in my UTM log:
Jun 15 01:02:07 packet[816]: nf_ct_tcp: SEQ is under the lower bound (already ACKed data retransmitted) SRC=192.168.0.200 DST=192.168.0.1 LEN=89 TOS=0x00 PREC=0x00 TTL=127 ID=31495 DF PROTO=TCP SPT=443 DPT=51745 WINDOW=258 ACK PSH FIN URGP=0
Jun 15 01:05:01 packet[816]: nf_ct_tcp: SEQ is over the upper bound (over the window of the receiver) SRC=192.168.0.203 DST=204.15.65.201 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=520 DF PROTO=TCP SPT=443 DPT=17578 WINDOW=259 ACK FIN URGP=0
Jun 15 01:14:02 snort: [119:2:1] (http_inspect) DOUBLE DECODING ATTACK {TCP} 192.168.0.197:50414 -> 207.200.29.91:80
Jun 15 01:22:09 snort: [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING {TCP} 192.168.0.197:51150 -> 207.200.29.91:80
Jun 15 02:11:23 kernel: __ratelimit: 5 messages suppressed
I googled but couldn't find anything that made sense to me.
I do not recall ever getting any entries like the ones above until I added the Untangle box and of course removing the Untangle box stops the log entries.
What do these entries mean and what's causing them?