Snort mailing list archives
RE: Reserve Bit
From: "Jeff Dell" <jdell () activeworx com>
Date: Wed, 21 Jul 2004 01:33:29 -0400
That would be correct. To find out more about ECN check out rfc3168 at: ftp://ftp.isi.edu/in-notes/rfc3168.txt. Basically ECN is new TCP functionality to handle congestion control and avoidance. Snort calls the TCP flag ECE (ECN-Echo) Reserved bit 1 and the TCP flag CWR (Congestion Window Reduced) Reserved bit 2. There are some legitimate uses for this.. But some programs use it to mess with packet filters or to perform active OS fingerprinting. One program that comes to mind is NMAP. Cheers, Jeff -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Matt Kettler Sent: Wednesday, July 21, 2004 1:00 AM To: Esler, Joel - Contractor; snort-users () lists sourceforge net Subject: Re: [Snort-users] Reserve Bit At 04:39 PM 7/20/2004, Esler, Joel - Contractor wrote:
Has anyone ever seen a packet come in with sig id: 523?
BAD-TRAFFIC ip reserved bit set
Yes.. ECN (explicit congestion notification) uses the reserved bits IIRC. ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Reserve Bit Esler, Joel - Contractor (Jul 20)
- Message not available
- Re: Reserve Bit Matt Kettler (Jul 20)
- RE: Reserve Bit Jeff Dell (Jul 20)
- Re: Reserve Bit Matt Kettler (Jul 20)
- Message not available