IDS mailing list archives
Re: [Snort-sigs] new Q signature
From: Jason <security () brvenik com>
Date: Mon, 10 Feb 2003 17:50:01 -0500
Jon wrote:
On Tue, Feb 11, 2003 at 08:17:14AM +1100, Hall, Andrew (DPRS) wrote:Jon, If you are seeing something the TTL decement all the way to 1 then you probably have a routing loop. Ie are the destinations actually used in your address space? If not, what can happen is that your border router will route the address into your network, while your next device inside the border router will route it back by its default route. Just something to check.My bad -- I should've been a bit more clear.The default TTL limit for Snort's stream4 preprocessor looks to be 5. Expiration in the context of stream4's TTL doesn't mean it dropped to 1, but rather "oh my, thats low. you might want to check that out". It was pure luck that stream4 first picked up on these packets. The ones that I'm catching now have believable TTLs, and are originating from well known/used ports like 22,25,80.
ttl_limit defines the acceptable ttl variance for a given session.so in english, if a ttl changes more than ttl_limit in a given session then you will get an alert.
if you have asymetric routes or the upstream or the endpoint or you have dynamic load balancing... you can see a bunch of these.
either increase the limit to be more appropriate for the environment or disable it by setting it to 0
Thanks,-jon
Current thread:
- RE: [Snort-sigs] new Q signature Hall, Andrew (DPRS) (Feb 10)
- Re: [Snort-sigs] new Q signature Jon (Feb 10)
- Re: [Snort-sigs] new Q signature Jason (Feb 10)
- Re: [Snort-sigs] new Q signature Jon (Feb 10)
- Re: [Snort-sigs] new Q signature Jason (Feb 10)
- Re: [Snort-sigs] new Q signature Jon (Feb 10)