[Snort-users] TOS plugin modified (ECN mitigation)

Martin Roesch roesch at ...421...
Fri Jan 12 15:43:36 EST 2001

Hi guys,
     I think I've added the capabilities to the TOS plugin that we'll
need to discriminate ECN from non-ECN (e.g. Queso, nmap) activity on a
network.  I've added the capability to parse hexidecimal arguments to
the TOS plugin, as well as a logical NOT flag.  I think with the
addition of these little bits we can pick up on hostile, non-ECN traffic
a little better.  Here's a Queso packet:

01/12-15:34:41.280065 ->
TCP TTL:255 TOS:0x0 ID:38573 IpLen:20 DgmLen:40
12****S* Seq: 0x298729EF  Ack: 0x0  Win: 0x1234  TcpLen: 20

Note that both the ECN-Echo and CWR flags are set, but the TOS field is
set to 0x00, indicating that neither ECT or CE bits are set, which means
that the other flags shouldn't be set.  In fact, if I read Toby Miller's
paper right ( I haven't looked at the RFC yet) we should only see the
reserved TCP bits set when the ECT flag is set (0x02 in the TOS field). 
With the modifications I've made to the TOS plugin, we can now pick that

alert tcp any any -> $HOME_NET any (tos: !0x02 flags: 12S; msg: "QUESO
Fingerprint scan";)

This is much more definitive than the old Queso rule:

alert tcp any any -> $HOME_NET any (msg:"Possible Queso Fingerprint
attempt"; flags: S12;)

I should probably add '+' and '*' flags to the TOS parser so that we can
do better logic on the bit specification (it should really be "tos:
0x02+" to specify the ECT bit plus any others).


Martin Roesch
roesch at ...421...

More information about the Snort-users mailing list