Snort mailing list archives
Re: lots of ttl evasion attempt alerts snort 1.8.7
From: Erek Adams <erek () theadamsfamily net>
Date: Fri, 12 Jul 2002 12:19:53 -0700 (PDT)
On Fri, 12 Jul 2002, David E. Gianndrea wrote:
Add ttl_limit 0Would somebody please explain this change. I too have been seeing these alerts, but im not quite sure I understand what they are, and what the effect of this change are.
Well, in spp_stream4.c: 151 u_int8_t ttl_limit; /* the largest difference we'll accept in the 152 course of a TTL conversation */ And then from reading on down in the code, it seems as though the ttl_limit is the amount of difference in ttls on packets that form a 'conversation'. With the limit at 0, it doesn't care about them. If I'm not right, I'm sure someone will correct me! :) Or at least I hope they do!! ;-) Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Gadgets, caffeine, t-shirts, fun stuff. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- lots of ttl evasion attempt alerts snort 1.8.7 Michael Scheidell (Jul 11)
- Re: lots of ttl evasion attempt alerts snort 1.8.7 Chris Green (Jul 12)
- Re: lots of ttl evasion attempt alerts snort 1.8.7 Michael Scheidell (Jul 12)
- Re: lots of ttl evasion attempt alerts snort 1.8.7 David E. Gianndrea (Jul 12)
- Re: lots of ttl evasion attempt alerts snort 1.8.7 Erek Adams (Jul 12)
- <Possible follow-ups>
- RE: lots of ttl evasion attempt alerts snort 1.8.7 Schroeder, Eric (Jul 12)
- Re: lots of ttl evasion attempt alerts snort 1.8.7 Chris Green (Jul 12)