[Snort-users] Re: [Snort-devel] TOS plugin modified (ECN mitigation)

Chris Green cmg at ...671...
Fri Jan 12 16:25:47 EST 2001

Martin Roesch <roesch at ...421...> writes:
> I should probably add '+' and '*' flags to the TOS parser so that we can
> do better logic on the bit specification (it should really be "tos:
> 0x02+" to specify the ECT bit plus any others).
> Comments?

0x1 and 0x2 could be set in normal ECN traffic I think.  If the router
sees congestion along the way, it will tack on the CE flag.  0x02+
would trigger false alerts on Queso packets once we start getting ECN
capable routers.

I think the !0x2 is the correct signature based on reading Toby's
paper and the rfc. 
Chris Green <cmg at ...671...>
A good pun is its own reword.

More information about the Snort-users mailing list