[Snort-devel] Snort v2 and flags ECE/CWR ...

Chris Green cmg at ...402...
Wed Apr 16 11:25:18 EDT 2003


[ Obey Reply-To: header  It isn't set by mistake :) ]

rmkml <rmkml at ...1042...> writes:

> ok,
>
> I change bad rule :
> alert tcp any any -> any any (msg:"Snort 191 bypass ECE"; flags:SFE;)
> alert tcp any any -> any any (msg:"Snort 191 bypass CWR"; flags:SFC;)
>
> with new rule :
> alert tcp any any -> any any (msg:"Snort 191 bypass ECE"; flags:SF1;)
> alert tcp any any -> any any (msg:"Snort 191 bypass CWR"; flags:SF2;)
>
> and snort run but not event send packet with ECE/CWR, (join tcpdump in first
> msg)

There are no packets in your dump that match either of those rules
specifically.

You either need SF12 or SF1+ or SF1,2

http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.13
-- 
Chris Green <cmg at ...402...>
You now have 14 minutes to reach minimum safe distance.




More information about the Snort-devel mailing list