[Snort-devel] Snort v2 and flags ECE/CWR ...

rmkml rmkml at ...1042...
Wed Apr 16 09:06:02 EDT 2003

Hi All,

Snort v191b234 not view this packet with this tcp flags ECE/CWR,

alert tcp any any -> any any (msg:"Snort 191 bypass ECE"; flags:SFE;)
alert tcp any any -> any any (msg:"Snort 191 bypass CWR"; flags:SFC;)

Snort v200build72 not found this packet because rules error :

ERROR: ./rules2/other-ids.rules(24): bad TCP flag = "E"
Valid otions: UAPRSF12 or 0 for NO flags (e.g. NULL scan), and !, + or *
for modifiers
Fatal Error, Quitting..

Snort v2 parse E and W flags ?


PS: other nids Firestorm view and alert this packets...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sfe-snort191pbs.tcpdump.gz
Type: application/x-gzip
Size: 202 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030416/3eaf30db/attachment.bin>

More information about the Snort-devel mailing list