Hosting Provided By

Re: [Snort-devel] reserved flags + spp_stream4

From: Chris Green <cmg(at)sourcefire.com>
Date: Mon Mar 31 2003 - 08:43:27 EST

Jon <warchild@spoofed.org> writes:

> Is it necessary to alert on this stuff? Since these are the ECN and CWR
> flags (I think, anyway. I could be a bit rusty right now) and the
> existence of these flags isn't necessarily a sign of malicious intent,
> could the alerting process be re-thought or explained?

It's an artifact of a bugfix. Yes they need to be reexamined for ECN traffic.

In the meantime, disable 'detect_scans' from your stream4 preprocessor.

-- 
Chris Green 
To err is human, to moo bovine.


-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb: 
Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Received on Mon Mar 31 08:55:53 2003

This message: [ Message body ]
Next message: Chris Green: "Re: [Snort-devel] snort2.0rc1 - missing file"
Previous message: Keith R Kilby: "Re: [Snort-devel] VLAN tagging"
In reply to: Jon: "[Snort-devel] reserved flags + spp_stream4"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:04 EDT