Re: [Snort-sigs] new Q signature

[Jason <security () brvenik com>]

Jon wrote:

> On Tue, Feb 11, 2003 at 08:17:14AM +1100, Hall, Andrew (DPRS) wrote:
>  
>
> > Jon,
> >
> > If you are seeing something the TTL decement all the way to 1 then you
> > probably have a routing loop.  Ie are the destinations actually used in
> > your address space?  If not, what can happen is that your border router
> > will route the address into your network, while your next device inside
> > the border router will route it back by its default route.
> >
> > Just something to check.
> >    
>
> My bad -- I should've been a bit more clear.  
>
> The default TTL limit for Snort's stream4 preprocessor looks to be 5.
> Expiration in the context of stream4's TTL doesn't mean it dropped to 1,
> but rather "oh my, thats low.  you might want to check that out".
>
> It was pure luck that stream4 first picked up on these packets.  The ones
> that I'm catching now have believable TTLs, and are originating from well
> known/used ports like 22,25,80.

ttl_limit defines the acceptable ttl variance for a given session.
so in english, if a ttl changes more than ttl_limit in a given session 
then you will get an alert.

if you have asymetric routes or the upstream or the endpoint or you have 
dynamic load balancing... you can see a bunch of these.

either increase the limit to be more appropriate for the environment or 
disable it by setting it to 0

> Thanks,
>
> -jon 
>
>