[Snort-devel] Drowning in ECN triggered false positives

Joe McAlerney joey at ...63...
Thu Jan 25 13:51:56 EST 2001


Erich Meier wrote:
> 
> Hi all!
> 
> Is there a solution known how to prevent those false positives caused by
> Linux 2.4's ECN? I am drowning in single packet portscans.

A BPF filter could work for now.

# snort <command options> not 'tcp[13] & 192 != 0'

That will cover the use of either the 8th or 9th bits of the reserve
field.

-Joe M.

-- 
+--                            --+
| Joe McAlerney, Silicon Defense |
| http://www.silicondefense.com/ |
+--                            --+




More information about the Snort-devel mailing list