Snort mailing list archives

Re: BPF for ECN Bits

From: Erik Fichtner <emf () servervault com>
Date: Thu, 24 May 2001 17:13:14 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, May 24, 2001 at 12:19:21PM -0700, Joe McAlerney wrote:

I wrote this one a while back.  It was tested, and seems to work. 
Please let me know if you find it is not doing the job.

# snort <command options> not 'tcp[13] & 192 != 0'


Well, it works, but it doesn't work.   It prevents snort from seeing 
ECNified packets--entirely.   Which means, any ECN host can attack you with
impunity and you'll never see it.

Better to just patch spp_portscan and remove the queso fingerprinting rules
if ECN is giving you grief.   (spp_portscan needs a -dontflagecn option..)


- -- 
Erik Fichtner
Security Administrator, ServerVault, Inc.
703-333-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.5 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7DXlqQ7EzrewLMS0RAp9IAJ44e5LDsvec0sXXq6MvRMK2X/J0EQCcC8G7
shSjf1/z+jz4uYsP8yc5jHA=
=nY1e
-----END PGP SIGNATURE-----

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

BPF for ECN Bits Erickson Brent W KPWA (May 24)
- Re: BPF for ECN Bits Joe McAlerney (May 24)
  - Re: BPF for ECN Bits Erik Fichtner (May 24)
    - Re: BPF for ECN Bits Max Vision (May 24)