[Snort-devel] RE: [Snort-users] Possible Queso Fingerprint attempt?

Ookhoi ookhoi at ...1580...
Thu Mar 15 06:55:22 EST 2001


Hi Erik,

> > We have noticed something very much the same. The offending Possible Queso
> > Fingerprint was coming from a linux org in Virginia. Now we know this
> > particular system has not been compromised but every time one of our users
> > get mail from their list snort sees it at a Possible Queso Fingerprint.
> 
> Possible Queso Fingerprint means "12S" packets.  This is a result of
> Explicit Congestion Notification, an experimental RFC that has been enabled
> by default in Linux 2.4.x.  [1]
> 
> If linux boxes talk to you, you'll see this.  A lot. 
> 
> [1] If anyone involved in that asinine decision is reading this, I'd
> certainly like to thank you for really buggering up a lot of firewalls and
> IDS's around the world.  That was a great plan, guys.  Top notch execution,
> too. 

Ecn is a good thing. The firewalls should be fixed.

	Ookhoi




More information about the Snort-users mailing list