[Snort-devel] ECN bits evade SYN detection
dmuell at ...224...
Mon Aug 12 16:48:01 EDT 2002
It seems the TCP ECN bits (1 and 2 snort "flags") evade SYN detection. many
snort rules use "flags:S" to detect SYN packets, and those rules fail when
an ECN bit is set.
Is this a bug or a feature ? It would be simple to make flags:S behave like
"SYN set and not ACK or RST set" in snort, and it would be quite painful to
fix all the signatures out there. On the other side, changing snort might
break rules which depend on the current behaviour.
Any comments ?
Dirk (received 62 mails today)
More information about the Snort-devel