[Snort-devel] ECN bits evade SYN detection

Chris Green cmg at ...402...
Tue Aug 13 04:20:09 EDT 2002

Dirk Mueller <dmuell at ...224...> writes:

> Hi, 
> It seems the TCP ECN bits (1 and 2 snort "flags") evade SYN detection. many 
> snort rules use "flags:S" to detect SYN packets, and those rules fail when 
> an ECN bit is set. 
> Is this a bug or a feature ? 

Both.  Bad assumption in the rules; Limitation of snort.  Let's fix
both the rules & snort.

> It would be simple to make flags:S behave like "SYN set and not ACK
> or RST set" in snort, and it would be quite painful to fix all the
> signatures out there. On the other side, changing snort might break
> rules which depend on the current behaviour.

Rather, I would prefer to make it


Which would first mask off the ECN bits, then the Syn bits.  Let me
finish eating my bagel and I'll code this up over my morning coffee.
Chris Green <cmg at ...402...>
"Yeah, but you're taking the universe out of context."

More information about the Snort-devel mailing list