[Snort-devel] reserved flags + spp_stream4

Chris Green cmg at ...402...
Mon Mar 31 05:47:09 EST 2003


Jon <warchild at ...1775...> writes:

>
> Is it necessary to alert on this stuff?  Since these are the ECN and CWR
> flags (I think, anyway.  I could be a bit rusty right now) and the
> existence of these flags isn't necessarily a sign of malicious intent,
> could the alerting process be re-thought or explained? 

It's an artifact of a bugfix. Yes they need to be reexamined for ECN
traffic.

In the meantime, disable 'detect_scans' from your stream4
preprocessor.
-- 
Chris Green <cmg at ...402...>
To err is human, to moo bovine.




More information about the Snort-devel mailing list