[Snort-devel] Snort v2 and flags ECE/CWR ...
cmg at ...402...
Wed Apr 16 09:35:18 EDT 2003
rmkml <rmkml at ...1042...> writes:
> Hi All,
> Snort v191b234 not view this packet with this tcp flags ECE/CWR,
> alert tcp any any -> any any (msg:"Snort 191 bypass ECE"; flags:SFE;)
> alert tcp any any -> any any (msg:"Snort 191 bypass CWR"; flags:SFC;)
I'm sure that that is a bad parser check because there's no code to
accept that notation in snort.
> Snort v200build72 not found this packet because rules error :
> ERROR: ./rules2/other-ids.rules(24): bad TCP flag = "E"
> Valid otions: UAPRSF12 or 0 for NO flags (e.g. NULL scan), and !, + or *
> for modifiers
> Fatal Error, Quitting..
> Snort v2 parse E and W flags ?
It uses 1 and 2 to represent those bits ( as indicated by the error
1 is CWR
2 is ECE
Chris Green <cmg at ...402...>
This is my signature. There are many like it but this one is mine.
More information about the Snort-devel