Home page logo

snort logo Snort mailing list archives

[PATCH]: Change reserved bits in flags keyword to match RFC 3168
From: <Joshua.Kinard () us-cert gov>
Date: Mon, 20 Dec 2010 19:43:38 -0500

Hi snort-devel,

In RFC 3168, Enhanced Congestion Notification (ECN) support was added to
the IP specification.  One of the changes was the use of the two
formerly-reserved bits in the TCP Flags field.  Snort currently marks
these fields as '1' for reserved bit 1 and '2' for reserved bit 2.

The attached patch changes this behavior.  '1' is now 'C' and refers to
the Congestion Window Reduced (CWR) bit.  '2' is now 'E' and refers to
the ECN-Echo (ECE) bit.  The old values are still supported/parsed to
avoid breaking any existing rulesets.



Attachment: snort-
Description: snort-

Lotusphere 2011
Register now for Lotusphere 2011 and learn how
to connect the dots, take your collaborative environment
to the next level, and enter the era of Social Business.
Snort-devel mailing list
Snort-devel () lists sourceforge net

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]