[Snort-users] Reserve Bit

Jeff Dell jdell at ...1095...
Tue Jul 20 22:35:01 EDT 2004

That would be correct. To find out more about ECN check out rfc3168 at:
ftp://ftp.isi.edu/in-notes/rfc3168.txt. Basically ECN is new TCP
functionality to handle congestion control and avoidance.

Snort calls the TCP flag ECE (ECN-Echo) Reserved bit 1 and the TCP flag CWR
(Congestion Window Reduced) Reserved bit 2. 

There are some legitimate uses for this.. But some programs use it to mess
with packet filters or to perform active OS fingerprinting. One program that
comes to mind is NMAP.



-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Matt Kettler
Sent: Wednesday, July 21, 2004 1:00 AM
To: Esler, Joel - Contractor; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Reserve Bit

At 04:39 PM 7/20/2004, Esler, Joel - Contractor wrote:
>Has anyone ever seen a packet come in with sig id:  523?
>         BAD-TRAFFIC ip reserved bit set

Yes.. ECN (explicit congestion notification) uses the reserved bits IIRC. 

This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list