[Snort-devel] reserved flags + spp_stream4

Jon warchild at ...1775...
Fri Mar 28 16:30:02 EST 2003


I migrated a sensor to Snort 2.x yesterday.  Its an OpenBSD -current box
with a fairly simple snort.conf.

I've received over 1000 alerts from 40 hosts because (for whatever reason)
they set the two tcp reserved flags.  These packets also always have the
SYN set, and are part of legitimate connections (well, they will be in two
more handshakes, anyway).  

At first I thought these were just broken machines, but a good portion of
the alerts are coming from well-known sites like vger.kernel.org
(linux-kernel mailing list, I think).

My questions are:

Is it necessary to alert on this stuff?  Since these are the ECN and CWR
flags (I think, anyway.  I could be a bit rusty right now) and the
existence of these flags isn't necessarily a sign of malicious intent,
could the alerting process be re-thought or explained?  I know R0 and R1
are often used with nmap and queso, but...

Can this particular option to stream4 be tweaked and/or turned off? 

Thanks again,


More information about the Snort-devel mailing list