[Snort-devel] TOS plugin modified (ECN mitigation)
cmg at ...81...
Fri Jan 12 16:25:47 EST 2001
Martin Roesch <roesch at ...48...> writes:
> I should probably add '+' and '*' flags to the TOS parser so that we can
> do better logic on the bit specification (it should really be "tos:
> 0x02+" to specify the ECT bit plus any others).
0x1 and 0x2 could be set in normal ECN traffic I think. If the router
sees congestion along the way, it will tack on the CE flag. 0x02+
would trigger false alerts on Queso packets once we start getting ECN
I think the !0x2 is the correct signature based on reading Toby's
paper and the rfc.
Chris Green <cmg at ...81...>
A good pun is its own reword.
More information about the Snort-devel