[Snort-devel] Snort v2 and flags ECE/CWR ...

Chris Green cmg at ...402...
Wed Apr 16 09:35:18 EDT 2003


rmkml <rmkml at ...1042...> writes:

> Hi All,
>
> Snort v191b234 not view this packet with this tcp flags ECE/CWR,
>
> alert tcp any any -> any any (msg:"Snort 191 bypass ECE"; flags:SFE;)
> alert tcp any any -> any any (msg:"Snort 191 bypass CWR"; flags:SFC;)

I'm sure that that is a bad parser check because there's no code to
accept that notation in snort.

>
> Snort v200build72 not found this packet because rules error :
>
> ERROR: ./rules2/other-ids.rules(24): bad TCP flag = "E"
> Valid otions: UAPRSF12 or 0 for NO flags (e.g. NULL scan), and !, + or *
> for modifiers
> Fatal Error, Quitting..
>
> Snort v2 parse E and W flags ?

It uses 1 and 2 to represent those bits ( as indicated by the error
message )

1 is CWR
2 is ECE
-- 
Chris Green <cmg at ...402...>
This is my signature. There are many like it but this one is mine.




More information about the Snort-devel mailing list