[Snort-devel] Drowning in ECN triggered false positives

Erich Meier Erich.Meier at ...2...
Fri Jan 26 04:19:42 EST 2001


On Thu, Jan 25, 2001 at 10:51:56AM -0800, Joe McAlerney wrote:
> Erich Meier wrote:
> > 
> > Hi all!
> > 
> > Is there a solution known how to prevent those false positives caused by
> > Linux 2.4's ECN? I am drowning in single packet portscans.
> 
> A BPF filter could work for now.
> 
> # snort <command options> not 'tcp[13] & 192 != 0'
> 
> That will cover the use of either the 8th or 9th bits of the reserve
> field.

Yes, that is a good idea. It's a lot quieter here now.

Thanks,
Erich




More information about the Snort-devel mailing list