[Snort-users] Snort, Queso and iptables

Olaf Schreck chakl at ...931...
Wed Oct 10 04:08:12 EDT 2001


> Actually I reckon someone was posting a while ago on some(this?) mailing
> list that certain versions of linux kernel craft packets in such way
> that they appear as queso prints (some erroneous flags or something), if
> someone is interested, I can really dig it up, but being short you can
> blame broken linux kernel here :-)

s/broken/recent/

The Linux 2.4 kernels implement TCP ECN (RFC 2481) for traffic congestion 
notification.  ECN makes use of 2 bits in the TCP header that were reserved 
before.  As the original poster was connecting to a Linux site, I'd 
assume it's 2.4 ECN rather than a Queso probe.

ciao,
chakl
--
Olaf Schreck, Syscall Network Solutions AG, Berlin




More information about the Snort-users mailing list