[Snort-devel] ECN bits evade SYN detection

Vinay A. Mahadik VAMahadik at ...1463...
Mon Aug 12 17:23:06 EDT 2002


Dirk Mueller wrote:
> 
> Hi,
> 
> It seems the TCP ECN bits (1 and 2 snort "flags") evade SYN detection. many
> snort rules use "flags:S" to detect SYN packets, and those rules fail when
> an ECN bit is set.
> 
> Is this a bug or a feature ? It would be simple to make flags:S behave like
> "SYN set and not ACK or RST set" in snort, and it would be quite painful to
> fix all the signatures out there. On the other side, changing snort might
> break rules which depend on the current behaviour.
> 

How about a flags-mask?

--
Vinay A. Mahadik
Summer Intern
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 495 2618




More information about the Snort-devel mailing list