[Snort-users] Is there a problem with Linux 2.4.0?

Jason Haar Jason.Haar at ...294...
Thu Jan 11 15:43:38 EST 2001


On Thu, Jan 11, 2001 at 12:34:00PM -0800, Ryan Russell wrote:
> On Fri, 12 Jan 2001, Jason Haar wrote:
> 
> > I just upgraded my snort box to 2.4.0 yesterday, and I've come in this
> > morning to find a whole bunch of alerts about my snort box generating
> > "probe-Queso Fingerprint attempt" and that it's portscanning other hosts
> > every few minutes.
> >
> > I'm wondering if the IP Stack has changed in some way that causing these?
> 
> Yup.  2.3,2.4 kernels have adopted some of the undefined TCP header bits
> for some sort of QoS function.  I believe newer versions of Snort stopped
> flagging that?

Owch - I forgot to mention I was running snort-1.7...

The portscanning one is easy for me to block. I should anyway as I run
nmap/nessus from there too. But the "probe-Queso Fingerprint attempt" and
the like would still pop up... I wonder if that rule should be changed to not
match all new Linux systems then... :-)

-- 
Cheers

Jason Haar

Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417




More information about the Snort-users mailing list