[Snort-users] BPF for ECN Bits

Erik Fichtner emf at ...367...
Thu May 24 17:13:14 EDT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, May 24, 2001 at 12:19:21PM -0700, Joe McAlerney wrote:
> I wrote this one a while back.  It was tested, and seems to work. 
> Please let me know if you find it is not doing the job.
> 
> # snort <command options> not 'tcp[13] & 192 != 0'

Well, it works, but it doesn't work.   It prevents snort from seeing 
ECNified packets--entirely.   Which means, any ECN host can attack you with
impunity and you'll never see it.

Better to just patch spp_portscan and remove the queso fingerprinting rules
if ECN is giving you grief.   (spp_portscan needs a -dontflagecn option..)


- -- 
Erik Fichtner
Security Administrator, ServerVault, Inc.
703-333-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.5 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7DXlqQ7EzrewLMS0RAp9IAJ44e5LDsvec0sXXq6MvRMK2X/J0EQCcC8G7
shSjf1/z+jz4uYsP8yc5jHA=
=nY1e
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list