Re: [Snort-sigs] new Q signature

[Jon <warchild () spoofed org>]

On Mon, Feb 10, 2003 at 05:50:01PM -0500, Jason wrote:
> ttl_limit defines the acceptable ttl variance for a given session.
> so in english, if a ttl changes more than ttl_limit in a given session 
> then you will get an alert.
>
> if you have asymetric routes or the upstream or the endpoint or you have 
> dynamic load balancing... you can see a bunch of these.
>
> either increase the limit to be more appropriate for the environment or 
> disable it by setting it to 0

OK, I guess I was a bit confused based on some of the Snort documentation
and the message that stream4 emits.  Anyway, thanks for that clarification.

Of all the TTL warnings that stream4 has given me, all of them have been
suspicious.

Would anyone else be willing to run my tag rule posted earlier?  That might
help get to the bottom of this Q traffic.

-jon