[Snort-devel] RE: [Snort-users] Possible Queso Fingerprint attempt?

Martin Roesch roesch at ...421...
Fri Mar 16 09:18:18 EST 2001

I implemented a TCP window size detection plugin last night, so we
should now be able to distinguish ECN from Queso without any problems
(for stock Queso builds).  If you want to try the code, check out the
latest from CVS.


Gregor Binder wrote:
> Ookhoi on Fri, Mar 16, 2001 at 12:41:21PM +0100:
> Ookhoi,
> > I have to correct you on this one. Ecn is not enabled by default. You
> > have to download the kernel yourself, untar it, set ecn from the default
> > No to Yes, compile it, install it and reboot your computer with it.
> sorry, I do not run a 2.4 myself, the FAQ I was quoting from made me
> me think that it's enabled by default.
> > You can't blame us for enabling ecn, or linux for supporting ecn. We
> > blame the dumbass provider which installed snort and don't know a thing
> > about it.
> I'd have to agree with you on the braindead NIDS admin issue .. :) But
> again I have to say what does it help YOU as a 2.4 user if it's not your
> fault but you're the one suffering from it? Is finding someone else to
> blame good enough for you?
> If it's not enabled by default, we could as well forget this point
> though. :)
> > Less secure? I can't see why. And ecn was in 2.4 before it was declared
> > stable, so imnsho it is implemented in a proper way.
> I guess I was unclear on that last statement - what I meant to say was:
> By forcing vendors to QUICKLY release patches to make things work again
> for everybody, and I would consider this patching a very critical part
> of those systems, I fear those patches could lack quality and thus
> POSSIBLY impact security. I wasn't referring to ECN or Linux in this
> case, but all those broken implementations. And I disagree with the FAQ
> that a bugfix can't impact security. Without knowing a particular
> implementation, you can never say that a bugfix can't introduce new
> bugs.
> It's just like I don't like to see this "time to market"-type of
> pressure being the driving factor for product development very much.
> --
> Gregor Binder       <gregor.binder at ...462...>      http://sysfive.com/
> sysfive.com GmbH               UNIX. Networking. Security. Applications.
> PGP id: 0x20C6DA55 fp: 18AB 2DD0 F8FA D710 1EDC A97A B128 01C0 20C6 DA55
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

Martin Roesch
roesch at ...421...

More information about the Snort-users mailing list