[Snort-devel] Drowning in ECN triggered false positives
Erich.Meier at ...2...
Fri Jan 26 04:19:42 EST 2001
On Thu, Jan 25, 2001 at 10:51:56AM -0800, Joe McAlerney wrote:
> Erich Meier wrote:
> > Hi all!
> > Is there a solution known how to prevent those false positives caused by
> > Linux 2.4's ECN? I am drowning in single packet portscans.
> A BPF filter could work for now.
> # snort <command options> not 'tcp & 192 != 0'
> That will cover the use of either the 8th or 9th bits of the reserve
Yes, that is a good idea. It's a lot quieter here now.
More information about the Snort-devel