Snort mailing list archives
lots of ttl evasion attempt alerts snort 1.8.7
From: Michael Scheidell <scheidell () secnap net>
Date: Thu, 11 Jul 2002 17:31:00 -0400 (EDT)
I won't say BILLIONS, but 200 more of these in 21 hours of running snort 1.8.7 vs 1.8.6beta6. starting snort thus: /usr/local/bin/snort -doDI -m 022 -z \ -c /usr/local/etc/snort.conf -i rl0 -l /var/log/snort system is FBSD 4.5. I did not change my snort.conf: preprocessor frag2 preprocessor stream4: noinspect, disable_evasion_alerts preprocessor stream4_reassemble: noalerts ------------------------------------------------------------------------ 07/11/02-21:14:17.835920 {TCP} 194.51.131.66:1428 -> 10.1.1.10:25 [**] [111:15:1] spp_stream4: TTL Evasion attempt [**] [Classification: Not Suspicious Traffic] [Priority: 5] all destination internal mail server. various external sources. 46 just from sourceforge alone: (i don't think they really are spoofing/hacking/scanning) 216.136.171.252 FQDN: usw-sf-fw2.sourceforge.net ( local whois ) Num of 1 46 0 2002-07-10 18:11:58 2002-07-11 20:48 -- Michael Scheidell SECNAP Network Security, LLC Sales: 866-SECNAPNET / (1-866-732-6276) Main: 561-368-9561 / www.secnap.net Positions available see http://www.secnap.net/employment/ ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek PC Mods, Computing goodies, cases & more http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- lots of ttl evasion attempt alerts snort 1.8.7 Michael Scheidell (Jul 11)
- Re: lots of ttl evasion attempt alerts snort 1.8.7 Chris Green (Jul 12)
- Re: lots of ttl evasion attempt alerts snort 1.8.7 Michael Scheidell (Jul 12)
- Re: lots of ttl evasion attempt alerts snort 1.8.7 David E. Gianndrea (Jul 12)
- Re: lots of ttl evasion attempt alerts snort 1.8.7 Erek Adams (Jul 12)
- <Possible follow-ups>
- RE: lots of ttl evasion attempt alerts snort 1.8.7 Schroeder, Eric (Jul 12)
- Re: lots of ttl evasion attempt alerts snort 1.8.7 Chris Green (Jul 12)