IDS mailing list archives
Re: [Snort-sigs] new Q signature
From: Jon <warchild () spoofed org>
Date: Mon, 10 Feb 2003 20:02:05 -0500
On Mon, Feb 10, 2003 at 05:50:01PM -0500, Jason wrote:
ttl_limit defines the acceptable ttl variance for a given session. so in english, if a ttl changes more than ttl_limit in a given session then you will get an alert. if you have asymetric routes or the upstream or the endpoint or you have dynamic load balancing... you can see a bunch of these. either increase the limit to be more appropriate for the environment or disable it by setting it to 0
OK, I guess I was a bit confused based on some of the Snort documentation and the message that stream4 emits. Anyway, thanks for that clarification. Of all the TTL warnings that stream4 has given me, all of them have been suspicious. Would anyone else be willing to run my tag rule posted earlier? That might help get to the bottom of this Q traffic. -jon
Current thread:
- RE: [Snort-sigs] new Q signature Hall, Andrew (DPRS) (Feb 10)
- Re: [Snort-sigs] new Q signature Jon (Feb 10)
- Re: [Snort-sigs] new Q signature Jason (Feb 10)
- Re: [Snort-sigs] new Q signature Jon (Feb 10)
- Re: [Snort-sigs] new Q signature Jason (Feb 10)
- Re: [Snort-sigs] new Q signature Jon (Feb 10)