[Snort-devel] Snort v2 and flags ECE/CWR ...

rmkml rmkml at ...1042...
Wed Apr 16 10:00:04 EDT 2003


ok,

I change bad rule :
alert tcp any any -> any any (msg:"Snort 191 bypass ECE"; flags:SFE;)
alert tcp any any -> any any (msg:"Snort 191 bypass CWR"; flags:SFC;)

with new rule :
alert tcp any any -> any any (msg:"Snort 191 bypass ECE"; flags:SF1;)
alert tcp any any -> any any (msg:"Snort 191 bypass CWR"; flags:SF2;)

and snort run but not event send packet with ECE/CWR, (join tcpdump in first
msg)

How detect this flags on snort v2 ?

Regard.



Chris Green wrote:

> rmkml <rmkml at ...1042...> writes:
>
> > Hi All,
> >
> > Snort v191b234 not view this packet with this tcp flags ECE/CWR,
> >
> > alert tcp any any -> any any (msg:"Snort 191 bypass ECE"; flags:SFE;)
> > alert tcp any any -> any any (msg:"Snort 191 bypass CWR"; flags:SFC;)
>
> I'm sure that that is a bad parser check because there's no code to
> accept that notation in snort.
>
> >
> > Snort v200build72 not found this packet because rules error :
> >
> > ERROR: ./rules2/other-ids.rules(24): bad TCP flag = "E"
> > Valid otions: UAPRSF12 or 0 for NO flags (e.g. NULL scan), and !, + or *
> > for modifiers
> > Fatal Error, Quitting..
> >
> > Snort v2 parse E and W flags ?
>
> It uses 1 and 2 to represent those bits ( as indicated by the error
> message )
>
> 1 is CWR
> 2 is ECE
> --
> Chris Green <cmg at ...402...>
> This is my signature. There are many like it but this one is mine.





More information about the Snort-devel mailing list