[Snort-devel] Drowning in ECN triggered false positives

Erich Meier Erich.Meier at ...2...
Thu Jan 25 07:24:49 EST 2001


Hi all!

Is there a solution known how to prevent those false positives caused by
Linux 2.4's ECN? I am drowning in single packet portscans.

Adding a
        scansToWatch &= ~sRESERVEDBITS;
in spp_portscan.c did not help.

Is there a workaround in the pipeline? I saw that Marty did the neccessary
changes to the TOS plugin, but is there anyone working on the portscan spp?

Thanks!
Erich




More information about the Snort-devel mailing list