|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: [Snort-users] Reserve Bit
From: Jeff Dell (jdell
activeworx.com)
Date: Wed Jul 21 2004 - 00:33:29 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
That would be correct. To find out more about ECN check out rfc3168 at:
ftp://ftp.isi.edu/in-notes/rfc3168.txt. Basically ECN is new TCP
functionality to handle congestion control and avoidance.
Snort calls the TCP flag ECE (ECN-Echo) Reserved bit 1 and the TCP flag CWR
(Congestion Window Reduced) Reserved bit 2.
There are some legitimate uses for this.. But some programs use it to mess
with packet filters or to perform active OS fingerprinting. One program that
comes to mind is NMAP.
Cheers,
Jeff
-----Original Message-----
From: snort-users-adminlists.sourceforge.net
[mailto:snort-users-adminlists.sourceforge.net] On Behalf Of Matt Kettler
Sent: Wednesday, July 21, 2004 1:00 AM
To: Esler, Joel - Contractor; snort-userslists.sourceforge.net
Subject: Re: [Snort-users] Reserve Bit
At 04:39 PM 7/20/2004, Esler, Joel - Contractor wrote:
>Has anyone ever seen a packet come in with sig id: 523?
>
> BAD-TRAFFIC ip reserved bit set
Yes.. ECN (explicit congestion notification) uses the reserved bits IIRC.
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]