IDS mailing list archives
Re: [Snort-sigs] new Q signature
From: Jon <warchild () spoofed org>
Date: Mon, 10 Feb 2003 16:43:08 -0500
On Tue, Feb 11, 2003 at 08:17:14AM +1100, Hall, Andrew (DPRS) wrote:
Jon, If you are seeing something the TTL decement all the way to 1 then you probably have a routing loop. Ie are the destinations actually used in your address space? If not, what can happen is that your border router will route the address into your network, while your next device inside the border router will route it back by its default route. Just something to check.
My bad -- I should've been a bit more clear. The default TTL limit for Snort's stream4 preprocessor looks to be 5. Expiration in the context of stream4's TTL doesn't mean it dropped to 1, but rather "oh my, thats low. you might want to check that out". It was pure luck that stream4 first picked up on these packets. The ones that I'm catching now have believable TTLs, and are originating from well known/used ports like 22,25,80. Thanks, -jon
Current thread:
- RE: [Snort-sigs] new Q signature Hall, Andrew (DPRS) (Feb 10)
- Re: [Snort-sigs] new Q signature Jon (Feb 10)
- Re: [Snort-sigs] new Q signature Jason (Feb 10)
- Re: [Snort-sigs] new Q signature Jon (Feb 10)
- Re: [Snort-sigs] new Q signature Jason (Feb 10)
- Re: [Snort-sigs] new Q signature Jon (Feb 10)