[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: firestorm bypass (snort advisory)
ok thanks,
example :
alert tcp any any -> any any (msg:"snort 191 bypass ECE"; flags: SFE;)
alert tcp any any -> any any (msg:"snort 191 bypass CWR"; flags: SFC;)
Regard.
Gianni Tedesco wrote:
> On Wed, 2003-04-02 at 11:46, rmkml wrote:
> > Thank for your reply,
> >
> > Firestorm detect ECN Flags ?
>
> ECN flags are valid normally so firestorm doesn't automatically alert on
> them. You can use the following 'flags' field in a rule to match on
> them:
>
> CWR bit: either '1' or 'C'
> ECE bit: either '2' or 'E'
>
> --
> // Gianni Tedesco (gianni at scaramanga dot co dot uk)
> lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import
> 8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D
>
> ------------------------------------------------------------------------
> Name: signature.asc
> signature.asc Type: application/pgp-signature
> Description: This is a digitally signed message part