Re: [Snort-sigs] new Q signature

[Jon <warchild () spoofed org>]

On Tue, Feb 11, 2003 at 08:17:14AM +1100, Hall, Andrew (DPRS) wrote:
> Jon,
>
> If you are seeing something the TTL decement all the way to 1 then you
> probably have a routing loop.  Ie are the destinations actually used in
> your address space?  If not, what can happen is that your border router
> will route the address into your network, while your next device inside
> the border router will route it back by its default route.
>
> Just something to check.

My bad -- I should've been a bit more clear.  

The default TTL limit for Snort's stream4 preprocessor looks to be 5.
Expiration in the context of stream4's TTL doesn't mean it dropped to 1,
but rather "oh my, thats low.  you might want to check that out".

It was pure luck that stream4 first picked up on these packets.  The ones
that I'm catching now have believable TTLs, and are originating from well
known/used ports like 22,25,80.

Thanks,

-jon