[Snort-devel] Drowning in ECN triggered false positives

Martin Roesch roesch at ...48...
Fri Jan 26 00:26:06 EST 2001


I think that the portscan preprocessor needs a little rethinking.  It
should really be looking for signs of ECN traffic as well as both full
connect and half-open SYN scans.  I've heard rumors that Patrick Mullen
might be working on just such a beast...

    -Marty

Joe McAlerney wrote:
> 
> Erich Meier wrote:
> >
> > Hi all!
> >
> > Is there a solution known how to prevent those false positives caused by
> > Linux 2.4's ECN? I am drowning in single packet portscans.
> 
> A BPF filter could work for now.
> 
> # snort <command options> not 'tcp[13] & 192 != 0'
> 
> That will cover the use of either the 8th or 9th bits of the reserve
> field.
> 
> -Joe M.
> 
> --
> +--                            --+
> | Joe McAlerney, Silicon Defense |
> | http://www.silicondefense.com/ |
> +--                            --+
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list