[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: firestorm bypass (snort advisory)

To: Gianni Tedesco <gianni@xxxxxxxxxx>
Subject: Re: firestorm bypass (snort advisory)
From: rmkml <rmkml@xxxxxxxxxx>
Date: Wed, 02 Apr 2003 13:58:22 +0200
Cc: firestorm@xxxxxxxxxxxxxxxx
Delivered-to: mailing list firestorm@scaramanga.co.uk
Mailing-list: contact firestorm-help@scaramanga.co.uk; run by ezmlm
References: <3E89A5F7.CCB09E12@wanadoo.fr> <1049279264.25400.1071.camel@lemsip> <3E8ABF97.146C564C@wanadoo.fr> <1049282781.25400.1075.camel@lemsip>
Sender: test@xxxxxxxxxx

ok thanks,

example :
alert tcp any any -> any any (msg:"snort 191 bypass ECE"; flags: SFE;)
alert tcp any any -> any any (msg:"snort 191 bypass CWR"; flags: SFC;)

Regard.



Gianni Tedesco wrote:

> On Wed, 2003-04-02 at 11:46, rmkml wrote:
> > Thank for your reply,
> >
> > Firestorm detect ECN Flags ?
>
> ECN flags are valid normally so firestorm doesn't automatically alert on
> them. You can use the following 'flags' field in a rule to match on
> them:
>
>  CWR bit: either '1' or 'C'
>  ECE bit: either '2' or 'E'
>
> --
> // Gianni Tedesco (gianni at scaramanga dot co dot uk)
> lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import
> 8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D
>
>   ------------------------------------------------------------------------
>                        Name: signature.asc
>    signature.asc       Type: application/pgp-signature
>                 Description: This is a digitally signed message part

References:
- firestorm bypass (snort advisory)
  - From: rmkml
- Re: firestorm bypass (snort advisory)
  - From: Gianni Tedesco
- Re: firestorm bypass (snort advisory)
  - From: rmkml
- Re: firestorm bypass (snort advisory)
  - From: Gianni Tedesco

Prev by Date: Re: firestorm bypass (snort advisory)
Next by Date: firestorm: new pb frag ...
Previous by thread: Re: firestorm bypass (snort advisory)
Next by thread: firestorm: new pb frag ...
Index(es):
- Date
- Thread