[Snort-users] BPF for ECN Bits
vision at ...4...
Thu May 24 18:46:11 EDT 2001
You should use the rules from arachNIDS. I posted awhile back that the
initial TTL for queso probes is always 255. Normal Linux traffic initial
TTL will almost always be 64. Therefor you can detect queso probes with a
high reliability by watching for ttl > 225 or so.
For Snort 1.7:
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS29/probe-Queso Fingerprint attempt"; ttl: >225; flags: S12;)
For Snort 1.8:
alert TCP $EXTERNAL any -> $INTERNAL any (msg: "IDS29/probe-Queso Fingerprint attempt"; ttl: >225; flags: S12; classtype: info-attempt; reference: arachnids,29;)
On Thu, 24 May 2001, Erik Fichtner wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On Thu, May 24, 2001 at 12:19:21PM -0700, Joe McAlerney wrote:
> > I wrote this one a while back. It was tested, and seems to work.
> > Please let me know if you find it is not doing the job.
> > # snort <command options> not 'tcp & 192 != 0'
> Well, it works, but it doesn't work. It prevents snort from seeing
> ECNified packets--entirely. Which means, any ECN host can attack you with
> impunity and you'll never see it.
> Better to just patch spp_portscan and remove the queso fingerprinting rules
> if ECN is giving you grief. (spp_portscan needs a -dontflagecn option..)
> - --
> Erik Fichtner
> Security Administrator, ServerVault, Inc.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.5 (FreeBSD)
> Comment: For info see http://www.gnupg.org
> -----END PGP SIGNATURE-----
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users