Snort mailing list archives
Re: Bug/Feature in Snort?
From: Ryan Russell <ryan () securityfocus com>
Date: Sun, 10 Mar 2002 16:56:26 -0700 (MST)
On Sun, 10 Mar 2002, Paul Farley wrote:
If you observe the TTL values for all three of the alerts, the 1st and 3rd packets have a TTL of 115, which is reasonable considering this attack originates from Windows hosts, and often the starting TTL value for Windows hosts is 128. The 2nd packet however has a TTL of 255, which is inconsistent with the other two packets. In addition the
Your web server echoed something back from the attempt that set off the same rule. Ryan _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Bug/Feature in Snort? Paul Farley (Mar 10)
- Re: Bug/Feature in Snort? Ryan Russell (Mar 10)
- RE: Bug/Feature in Snort? Paul Farley (Mar 10)
- Re: Bug/Feature in Snort? Martin Roesch (Mar 10)
- Re: Bug/Feature in Snort? Ryan Russell (Mar 10)