[Snort-devel] ECN bits evade SYN detection

Dirk Mueller dmuell at ...224...
Mon Aug 12 16:48:01 EDT 2002


It seems the TCP ECN bits (1 and 2 snort "flags") evade SYN detection. many 
snort rules use "flags:S" to detect SYN packets, and those rules fail when 
an ECN bit is set. 

Is this a bug or a feature ? It would be simple to make flags:S behave like 
"SYN set and not ACK or RST set" in snort, and it would be quite painful to 
fix all the signatures out there. On the other side, changing snort might 
break rules which depend on the current behaviour. 

Any comments ?

Dirk (received 62 mails today)

More information about the Snort-devel mailing list