[Snort-devel] Snort v2 and flags ECE/CWR ...

Chris Green cmg at ...402...
Wed Apr 16 12:08:11 EDT 2003


rmkml <rmkml at ...1042...> writes:

> I tested this rules and snort v2 don't event :
>
> alert tcp any any -> any any (msg:"Snort 191 bypass ECE"; flags:SF1;)
>
> alert tcp any any -> any any (msg:"Snort 191 bypass ECE"; flags:SF2;)
>
> alert tcp any any -> any any (msg:"Snort 191 bypass ECE"; flags:SF,12;)
>
> alert tcp any any -> any any (msg:"Snort 191 bypass ECE"; flags:SF,1;)
>
> alert tcp any any -> any any (msg:"Snort 191 bypass ECE"; flags:SF1,2;)
>


alert tcp any any -> any any (msg:"Snort 191 bypass ECE 1"; flags:SF1;)
alert tcp any any -> any any (msg:"Snort 191 bypass ECE 2"; flags:SF2;)
alert tcp any any -> any any (msg:"Snort 191 bypass ECE 3"; flags:SF,12;)
alert tcp any any -> any any (msg:"Snort 191 bypass ECE 4"; flags:SF,1;)
alert tcp any any -> any any (msg:"Snort 191 bypass ECE 5"; flags:SF1,2;)

    TCP: 4          (100.000%)         ALERTS: 2
    UDP: 0          (0.000%)          LOGGED: 2
   ICMP: 0          (0.000%)          PASSED: 0
04/02-08:32:28.928704  [**] [1:0:0] Snort 191 bypass ECE 2 [**] [Priority: 0] {TCP} 80.15.82.251:18245 -> 195.46.204.150:21536
04/02-08:32:39.742288  [**] [1:0:0] Snort 191 bypass ECE 1 [**] [Priority: 0] {TCP} 80.15.82.251:18245 -> 195.46.204.150:21536

> alert any any -> any any (msg:"Snort 191 bypass ECE"; flags:SF,12;)
> (with this rules, snort stop and log this msg : bad protocol any,
> but this rules is same on your web page :
> http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.13
> error in your doc ?)
>
> cgreen: There are no packets in your dump that match either of those
> cgreen: rules specifically.

I did misread that capture. However"

preprocessor stream4
preprocessor stream4_reassemble

alert tcp any any -> any any (msg:"Snort 191 bypass ECE 1"; flags:SF1;)
alert tcp any any -> any any (msg:"Snort 191 bypass ECE 2"; flags:SF2;)

Creates:

04/02-08:32:28.928704  [**] [1:0:0] Snort 191 bypass ECE 2 [**] [Priority: 0] {TCP} 80.15.82.251:18245 -> 195.46.204.150:21536
04/02-08:32:39.742288  [**] [1:0:0] Snort 191 bypass ECE 1 [**] [Priority: 0] {TCP} 80.15.82.251:18245 -> 195.46.204.150:21536

-- 
Chris Green <cmg at ...402...>
Fame may be fleeting but obscurity is forever.




More information about the Snort-devel mailing list