Snort mailing list archives

RE: Bug/Feature in Snort?

From: "Paul Farley" <Paul.Farley () EventLevel com>
Date: Sun, 10 Mar 2002 19:28:07 -0500

Ryan,  

There are a few questions centered around that very fact.

1. Why did the ack packet my box returned set off that rule?  The ack
was headed in the wrong direction AND did not have the content specified
in the rule.  I could accept maybe a misconfiguration of HOME_NET as a
cause for the direction of traffic issue, but that packet doesn't have
the content the rule is looking for. 

Ack packet:

02/16-03:25:26.843748 MY.NET.9.170:80 -> 66.76.77.48:4832
TCP TTL:127 TOS:0x0 ID:49657 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x4A529D53  Ack: 0xE74AC1BC  Win: 0x4428  TcpLen: 20

2. Why the difference between the packet TTL and the TTL reported in the
alert?


Regards,

Paul Farley
EventLevel, Inc.
Paul.Farley () EventLevel com
http://www.eventlevel.com


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Ryan
Russell
Sent: Sunday, March 10, 2002 6:56 PM
To: Paul Farley
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Bug/Feature in Snort?


On Sun, 10 Mar 2002, Paul Farley wrote:


If you observe the TTL values for all three of the alerts, the 1st and
3rd packets have a TTL of  115, which is reasonable considering this
attack originates from Windows hosts, and often the starting TTL value
for Windows hosts is 128.  The 2nd packet however has a TTL of 255,
which is inconsistent with the other two packets.  In addition the


Your web server echoed something back from the attempt that set off the
same rule.

                                Ryan


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Bug/Feature in Snort? Paul Farley (Mar 10)
- Re: Bug/Feature in Snort? Ryan Russell (Mar 10)
  - RE: Bug/Feature in Snort? Paul Farley (Mar 10)
- Re: Bug/Feature in Snort? Martin Roesch (Mar 10)