[Snort-users] [bgallia at ...442...: Castor's use of "ECN" shut-off]

Phil Wood cpw at ...440...
Tue Sep 12 11:30:14 EDT 2000


Folks, the included message explains why I was getting some alerts from
portscan due to RESERVEDBITS set:

Sep 8 00:19:40 x.x.x.x:1760 -> y.y.y.y:80 SYN 21S***** RESERVEDBITS

I had read the source for tcpdump and found reference to RFC2481 which
mentioned the reserved bits.  But, I didn't know it was in "production" use.

So, should one ignore these, at least at the "email/paging" level?

Thanks,

-- 
Phil Wood, cpw at ...440...

-------------- next part --------------
An embedded message was scrubbed...
From: "B. Galliart" <bgallia at ...442...>
Subject: Castor's use of "ECN" shut-off
Date: Mon, 11 Sep 2000 17:16:14 -0500 (CDT)
Size: 2201
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20000912/0ef2067f/attachment.mht>


More information about the Snort-users mailing list