[Snort-users] [bgallia at ...442...: Castor's use of "ECN" shut-off]

Tye F. Hammerle thammer at ...445...
Tue Sep 12 20:39:18 EDT 2000


An interesting thing about this is that mailhosts using these reserved
bits in their SYN can't deliver mail to a host behind a PIX firewall,
at least a 5.0.3 rev. The PIX claims 'no connection' and denies the
traffic. I've got another mailhost that appears to be using the same
type packets trying to deliver mail to our site. I haven't yet heard
if FW-1 understands ECN or not. If alot of people start using this
feature on their mail hosts it could be interesting to see the vendors
scrambling to make their systems compliant.

Tye


----- Original Message -----
From: "Phil Wood" <cpw at ...440...>
To: <snort-users at lists.sourceforge.net>
Cc: <rwc at ...440...>
Sent: Tuesday, September 12, 2000 10:30 AM
Subject: [Snort-users] [bgallia at ...442...: Castor's use of
"ECN" shut-off]


> Folks, the included message explains why I was getting some alerts
from
> portscan due to RESERVEDBITS set:
>
> Sep 8 00:19:40 x.x.x.x:1760 -> y.y.y.y:80 SYN 21S***** RESERVEDBITS
>
> I had read the source for tcpdump and found reference to RFC2481
which
> mentioned the reserved bits.  But, I didn't know it was in
"production" use.
>
> So, should one ignore these, at least at the "email/paging" level?
>
> Thanks,
>
> --
> Phil Wood, cpw at ...440...
>
>




More information about the Snort-users mailing list