[Snort-devel] Snort v2 and flags ECE/CWR ...

rmkml rmkml at ...1042...
Wed Apr 16 11:48:09 EDT 2003


I tested this rules and snort v2 don't event :

alert tcp any any -> any any (msg:"Snort 191 bypass ECE"; flags:SF1;)

alert tcp any any -> any any (msg:"Snort 191 bypass ECE"; flags:SF2;)

alert tcp any any -> any any (msg:"Snort 191 bypass ECE"; flags:SF,12;)

alert tcp any any -> any any (msg:"Snort 191 bypass ECE"; flags:SF,1;)

alert tcp any any -> any any (msg:"Snort 191 bypass ECE"; flags:SF1,2;)

alert any any -> any any (msg:"Snort 191 bypass ECE"; flags:SF,12;)
(with this rules, snort stop and log this msg : bad protocol any,
but this rules is same on your web page :
http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.13
error in your doc ?)

cgreen: There are no packets in your dump that match either of those
cgreen: rules specifically.

look tcpdump in my file :
14:32:28.928704 80.15.82.251.18245 > 195.46.204.150.21536: SFE [tcp sum ok]
1619078639:1619078639(0) win 512 (ttl 103, id 41217, len 40)
14:32:28.985687 195.46.204.150.21536 > 80.15.82.251.18245: R [tcp sum ok] 0:0(0)
ack 1619078640 win 0 (ttl 45, id 0, len 40)
14:32:39.742288 80.15.82.251.18245 > 195.46.204.150.21536: SFW [tcp sum ok]
726825157:726825157(0) win 512 (ttl 103, id 43162, len 40)
14:32:39.806084 195.46.204.150.21536 > 80.15.82.251.18245: R [tcp sum ok] 0:0(0)
ack 726825158 win 0 (ttl 45, id 0, len 40)
and my file contain two tcp packet with flags : Syn-Fin-ECE and Syn-Fin-CWR ...

I use tcpreplay for restart test ...

Regard.



Chris Green wrote:

> There are no packets in your dump that match either of those rules
> specifically.
>
> You either need SF12 or SF1+ or SF1,2
>
> http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.13
> --
> Chris Green <cmg at ...402...>
> You now have 14 minutes to reach minimum safe distance.





More information about the Snort-devel mailing list