[Snort-devel] Drowning in ECN triggered false positives
joey at ...63...
Thu Jan 25 13:51:56 EST 2001
Erich Meier wrote:
> Hi all!
> Is there a solution known how to prevent those false positives caused by
> Linux 2.4's ECN? I am drowning in single packet portscans.
A BPF filter could work for now.
# snort <command options> not 'tcp & 192 != 0'
That will cover the use of either the 8th or 9th bits of the reserve
| Joe McAlerney, Silicon Defense |
| http://www.silicondefense.com/ |
More information about the Snort-devel