[Snort-users] [bgallia at ...442...: Castor's use of "ECN" shut-off]

Tye F. Hammerle thammer at ...445...
Tue Sep 12 20:39:18 EDT 2000

An interesting thing about this is that mailhosts using these reserved
bits in their SYN can't deliver mail to a host behind a PIX firewall,
at least a 5.0.3 rev. The PIX claims 'no connection' and denies the
traffic. I've got another mailhost that appears to be using the same
type packets trying to deliver mail to our site. I haven't yet heard
if FW-1 understands ECN or not. If alot of people start using this
feature on their mail hosts it could be interesting to see the vendors
scrambling to make their systems compliant.


----- Original Message -----
From: "Phil Wood" <cpw at ...440...>
To: <snort-users at lists.sourceforge.net>
Cc: <rwc at ...440...>
Sent: Tuesday, September 12, 2000 10:30 AM
Subject: [Snort-users] [bgallia at ...442...: Castor's use of
"ECN" shut-off]

> Folks, the included message explains why I was getting some alerts
> portscan due to RESERVEDBITS set:
> Sep 8 00:19:40 x.x.x.x:1760 -> y.y.y.y:80 SYN 21S***** RESERVEDBITS
> I had read the source for tcpdump and found reference to RFC2481
> mentioned the reserved bits.  But, I didn't know it was in
"production" use.
> So, should one ignore these, at least at the "email/paging" level?
> Thanks,
> --
> Phil Wood, cpw at ...440...

More information about the Snort-users mailing list