Rule:

--
Sid: 523

--
Summary:
This event is generated when packets on the network have the reserved 
bit set.

--
Impact:
Possible prelude to system compromise.

--
Detailed Information:
Under normal circumstances IP packets do not use the reserved bit.

This may be an indicator of the use of the reserved bit by a malicious 
user to instigate covert channel communications.

an indicator of unauthorized network use, reconnaisance activity or 
system compromise. These rules may also generate an event due to 
improperly configured network devices.

--
Affected Systems:
	All

--
Attack Scenarios:
The attacker may send specially crafted packets with the reserved bit 
set.

--
Ease of Attack:
Simple

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:
Use a packet filtering device to reject packets with this bit set.

--
Contributors:
Original rule writer unknown
Sourcefire Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

--
