lots of ttl evasion attempt alerts snort 1.8.7

[Michael Scheidell <scheidell () secnap net>]

I won't say BILLIONS, but 200 more of these in 21 hours of running snort
1.8.7 vs 1.8.6beta6.

starting snort thus:
/usr/local/bin/snort -doDI -m 022 -z \
-c /usr/local/etc/snort.conf -i rl0 -l /var/log/snort

system is FBSD 4.5.

I did not change my snort.conf:
preprocessor frag2
preprocessor stream4: noinspect, disable_evasion_alerts
preprocessor stream4_reassemble: noalerts

------------------------------------------------------------------------
07/11/02-21:14:17.835920  {TCP} 194.51.131.66:1428 -> 10.1.1.10:25
[**] [111:15:1] spp_stream4: TTL Evasion attempt [**]
[Classification: Not Suspicious Traffic] [Priority: 5]

all destination internal mail server.
various external sources.

46 just from sourceforge alone: (i don't think they really are
spoofing/hacking/scanning)

216.136.171.252

FQDN: usw-sf-fw2.sourceforge.net  ( local whois ) Num of 

1 46 0  2002-07-10 18:11:58  2002-07-11 20:48 

-- 
Michael Scheidell
SECNAP Network Security, LLC 
Sales: 866-SECNAPNET / (1-866-732-6276)
Main: 561-368-9561 / www.secnap.net
Positions available see http://www.secnap.net/employment/


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
PC Mods, Computing goodies, cases & more
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users