[Snort-users] BPF for ECN Bits
emf at ...367...
Thu May 24 17:13:14 EDT 2001
-----BEGIN PGP SIGNED MESSAGE-----
On Thu, May 24, 2001 at 12:19:21PM -0700, Joe McAlerney wrote:
> I wrote this one a while back. It was tested, and seems to work.
> Please let me know if you find it is not doing the job.
> # snort <command options> not 'tcp & 192 != 0'
Well, it works, but it doesn't work. It prevents snort from seeing
ECNified packets--entirely. Which means, any ECN host can attack you with
impunity and you'll never see it.
Better to just patch spp_portscan and remove the queso fingerprinting rules
if ECN is giving you grief. (spp_portscan needs a -dontflagecn option..)
Security Administrator, ServerVault, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.5 (FreeBSD)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the Snort-users