Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Bug/Feature in Snort?

From: Ryan Russell <ryan () securityfocus com>
Date: Sun, 10 Mar 2002 16:56:26 -0700 (MST)
On Sun, 10 Mar 2002, Paul Farley wrote:



If you observe the TTL values for all three of the alerts, the 1st and
3rd packets have a TTL of  115, which is reasonable considering this
attack originates from Windows hosts, and often the starting TTL value
for Windows hosts is 128.  The 2nd packet however has a TTL of 255,
which is inconsistent with the other two packets.  In addition the


Your web server echoed something back from the attempt that set off the
same rule.

                                Ryan


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: