[Snort-users] Snort, Queso and iptables
chakl at ...931...
Wed Oct 10 04:08:12 EDT 2001
> Actually I reckon someone was posting a while ago on some(this?) mailing
> list that certain versions of linux kernel craft packets in such way
> that they appear as queso prints (some erroneous flags or something), if
> someone is interested, I can really dig it up, but being short you can
> blame broken linux kernel here :-)
The Linux 2.4 kernels implement TCP ECN (RFC 2481) for traffic congestion
notification. ECN makes use of 2 bits in the TCP header that were reserved
before. As the original poster was connecting to a Linux site, I'd
assume it's 2.4 ECN rather than a Queso probe.
Olaf Schreck, Syscall Network Solutions AG, Berlin
More information about the Snort-users