[Snort-devel] Stream5: Missing TCP connections with require_3whs

Steven Sturges steve.sturges at ...402...
Thu Jan 8 10:54:05 EST 2009


Thanks, Lothar.

We'll have a look... Since ECN and CWR are technically experimental,
it would be good to get a feel for how many people are actually
seeing those used in TCP or IP headers on their networks?

We'd welcome some insights -- what routers support congestion
notification and control?  IPv4 and/or IPv6?

Cheers.
-steve

Lothar Braun wrote:
> Hi all,
> 
> I noticed that snort-2.8.3.1 does not recognize all possible TCP
> connections when require_3whs is enabled for the Stream5 preprocessor.
> 
> A connection is missed if the TCP-Handshake packets (especially the
> SYN-Pakets) have the ECN- or CWR-Flag set. This is due to stream5 only
> checking for p->tcph->th_flags == TH_SYN, which is false if TH_SYN
> _and_ TH_ECN are set.
> 
> I've created a patch against snort-2.8.3.1 (see attachment) that fixes
> the problem.
> 
> Best regards,
>   Lothar
> 
> 
> ------------------------------------------------------------------------
> 
> ------------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It is the best place to buy or sell services for
> just about anything Open Source.
> http://p.sf.net/sfu/Xq1LFB
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel




More information about the Snort-devel mailing list