[Snort-devel] RE: [Snort-users] Possible Queso Fingerprint attempt?

Erik Fichtner emf at ...367...
Thu Mar 15 06:26:27 EST 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, Mar 15, 2001 at 05:03:18AM -0500, Aaron S. Carmichael wrote:
> We have noticed something very much the same. The offending Possible Queso
> Fingerprint was coming from a linux org in Virginia. Now we know this
> particular system has not been compromised but every time one of our users
> get mail from their list snort sees it at a Possible Queso Fingerprint.

Possible Queso Fingerprint means "12S" packets.  This is a result of
Explicit Congestion Notification, an experimental RFC that has been enabled
by default in Linux 2.4.x.  [1]

If linux boxes talk to you, you'll see this.  A lot. 


[1] If anyone involved in that asinine decision is reading this, I'd
certainly like to thank you for really buggering up a lot of firewalls and
IDS's around the world.  That was a great plan, guys.  Top notch execution,
too. 

- -- 
Erik Fichtner
Security Administrator, ServerVault, Inc.
703-333-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjqwpuIACgkQQ7EzrewLMS1LiwCgxkqwr0Woc842EzH9l2uNL85w
BigAnRxxSX2izpp+BCRIhdGh8Nqd/+fU
=fVPb
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list