Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: lots of ttl evasion attempt alerts snort 1.8.7

From: Erek Adams <erek () theadamsfamily net>
Date: Fri, 12 Jul 2002 12:19:53 -0700 (PDT)
On Fri, 12 Jul 2002, David E. Gianndrea wrote:


Add ttl_limit 0



Would somebody please explain this change. I too have been seeing
these alerts, but im not quite sure I understand what they are, and
what the effect of this change are.


Well, in spp_stream4.c:

   151      u_int8_t  ttl_limit; /* the largest difference we'll accept in the
   152                              course of a TTL conversation */


And then from reading on down in the code, it seems as though the ttl_limit is
the amount of difference in ttls on packets that form a 'conversation'.  With
the limit at 0, it doesn't care about them.

If I'm not right, I'm sure someone will correct me! :)  Or at least I hope
they do!!  ;-)

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Gadgets, caffeine, t-shirts, fun stuff.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: