[Snort-users] Is there a problem with Linux 2.4.0?

Chris Green cmg at ...671...
Thu Jan 11 16:44:14 EST 2001

Jason Haar <Jason.Haar at ...294...> writes:

> On Thu, Jan 11, 2001 at 12:34:00PM -0800, Ryan Russell wrote:
> > On Fri, 12 Jan 2001, Jason Haar wrote:
> > 
> > > I just upgraded my snort box to 2.4.0 yesterday, and I've come in this
> > > morning to find a whole bunch of alerts about my snort box generating
> > > "probe-Queso Fingerprint attempt" and that it's portscanning other hosts
> > > every few minutes.
> > >
> > > I'm wondering if the IP Stack has changed in some way that causing these?
> > 
> > Yup.  2.3,2.4 kernels have adopted some of the undefined TCP header bits
> > for some sort of QoS function.  I believe newer versions of Snort stopped
> > flagging that?
> Owch - I forgot to mention I was running snort-1.7...
> The portscanning one is easy for me to block. I should anyway as I run
> nmap/nessus from there too. But the "probe-Queso Fingerprint attempt" and
> the like would still pop up... I wonder if that rule should be changed to not
> match all new Linux systems then... :-)


" When a node sends a TCP SYN packet, it may set the ECN-Echo and CWR
   flags in the TCP header.  For a SYN packet, the setting of both the
   ECN-Echo and CWR flags are defined as an indication that the sending
   TCP is ECN-Capable, rather than as an indication of congestion or of
   response to congestion. More precisely, a SYN packet with both the
   ECN-Echo and CWR flags set indicates that the TCP implementation
   transmitting the SYN packet will participate in ECN as both a sender
   and receiver. "

This RFC adds congestion notification to both TCP and IP and linux 2.4
obliges with CONFIG_INET_ECN.

from linux 2.4.0:


Explicit Congestion Notification (ECN) allows routers to notify
clients about network congestion, resulting in fewer dropped packets
and increased network performance. This option adds ECN support to the
Linux kernel, as well as a sysctl (/proc/sys/net/ipv4/tcp_ecn) which
allows ECN support to be disabled at runtime.

Note that, on the Internet, there are many broken firewalls which
refuse connections from ECN-enabled machines, and it may be a while
before these firewalls are fixed. Until then, to access a site behind
such a firewall (some of which are major sites, at the time of this
writing) you will have to disable this option, either by saying N now
or by using the sysctl.

If in doubt, say N.

Just when you thought you understood tcp/ip, the game changes.
Chris Green <cmg at ...671...>
Let not the sands of time get in your lunch.

More information about the Snort-users mailing list