[Snort-devel] reserved flags + spp_stream4

From: Jon <warchild(at)spoofed.org>
Date: Fri Mar 28 2003 - 19:29:55 EST

Greetings,

I migrated a sensor to Snort 2.x yesterday. Its an OpenBSD -current box with a fairly simple snort.conf.

I've received over 1000 alerts from 40 hosts because (for whatever reason) they set the two tcp reserved flags. These packets also always have the SYN set, and are part of legitimate connections (well, they will be in two more handshakes, anyway).

At first I thought these were just broken machines, but a good portion of the alerts are coming from well-known sites like vger.kernel.org (linux-kernel mailing list, I think).

My questions are:

Is it necessary to alert on this stuff? Since these are the ECN and CWR flags (I think, anyway. I could be a bit rusty right now) and the existence of these flags isn't necessarily a sign of malicious intent, could the alerting process be re-thought or explained? I know R0 and R1 are often used with nmap and queso, but...

Can this particular option to stream4 be tweaked and/or turned off?

Thanks again,

-jon

---

This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en

---

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Fri Mar 28 19:35:20 2003