Firewall Wizards mailing list archives

Re: IPF and ECN

From: Patrick Oonk <patrick () pine nl>
Date: Thu, 21 Sep 2000 18:47:50 +0200

On Tue, Sep 19, 2000 at 06:34:47PM -0500, Hammerle, Tye F. wrote:

I recently had a couple of mail servers using ECN trigger an alert wiht
snort while they were trying to send mail to us. Upon investigation I found
one was from Loyola. The admin there, Ben Galliart, did some research and
came up with the info in the message below. 

I am running a PIX (5.1) which does not recognize a connection attempt with
ECN set, it denies it with a 'no connection' message. These two mail servers
were unable to deliver mail to us due to this. 

BTW, snort classified it as a 'Queso Fingerprint Attempt'.

So far you are the only post I've seen that has noticed this. What version
of IPF are you running? platform?


ipf: IP Filter: v3.3.8 (192)    

FreeBSD xxxxx 4.0-STABLE FreeBSD 4.0-STABLE #3: Mon Jul  3
09:25:47 CEST 2000

        Patrick


-- 
 Patrick Oonk -  PO1-6BONE -  patrick () pine nl -  www.pine.nl/~patrick
 Pine Internet - PAT31337-RIPE - PGPkeyID BE7497F1 - XOIP+31208723350 
 Tel: +31-70-3111010  -   Fax: +31-70-3111011   -  http://security.nl
 PGP   fingerprint   97 27 CB 46 25 39 66 77  F8 BF C3 93 4A EC 21 D6
 Excuse of the day: Your processor has taken a ride to Heaven's
 Gate on the UFO behind Hale-Bopp's comet.

_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards

Current thread:

IPF and ECN Patrick Oonk (Sep 19)
- Re: IPF and ECN Darren Reed (Sep 23)
- <Possible follow-ups>
- RE: IPF and ECN Hammerle, Tye F. (Sep 20)
  - Re: IPF and ECN Patrick Oonk (Sep 22)