RE: Lots of "spp_stream4: TTL EVASION (reasemble) "

["Cloppert, Michael" <Michael.Cloppert () 53 com>]

What I've found helps is if I adjust the (undocumented) ttl_limit option in
the stream4 preprocessor.  I *believe* if you set it to 0, you won't get any
alerts of this nature.  From what I understand, this is the delta between a
"normal" ttl for a TCP conversation and a "skewed" ttl.  For example, my SYN
and SYN-ACK in a TCP handshake may have a ttl of 150 each.  The next ACK has
a ttl of 2.  The delta between these two packets is 148, therefore if my
ttl_limit is set to anything <= 148, this ACK will generate an evasion
alert.  Unfortunately, I've had to set this VERY high to minimize false
positives.  If anyone's had better luck with tweaking these parameters I'd
be interested to hear what's been done, because my ttl_limit of 175 is going
to miss some evasion attempts, without a doubt!  FYI, my stream4 line is:

preprocessor stream4: disable_evasion_alerts,ttl_limit 175

mike

> -----Original Message-----
> From: Augustinho Catto [mailto:Catto () atlas unisinos br]
> Sent: Thursday, July 25, 2002 3:20 PM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] Lots of "spp_stream4: TTL EVASION (reasemble) "
>
>
> Dear gurus:
> Since I installed snort 1.87 version I received lots of alerts kind 
> "spp_stream4: TTL EVASION (reassemble) detection ".
> It happened in spite of fact I´ve already set:
> "preprocessor stream4: disable_evasion_alerts" and
> "preprocessor stream4_reassemble: noalerts" in snort.conf.
> In this network exists a "Total Control" which receive dial-up 
> connections.
> How could avoid this false alerts?
> TIA,
> Catto
>
>
> Augustinho Valmor CATTO
> CNE - Analista de Suporte 
> UNISINOS - Universidade do Vale do Rio dos Sinos
> Sao Leopoldo - RS - Brasil
> Phone: +55 xx 51 590-8386
> http://www.unisinos.br/institucional/estrutura/
> "From Brazil the land of FIFA worldwide soccer five times 
> championship"
>
>
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by: Jabber - The world's 
> fastest growing 
> real-time communications platform! Don't just IM. Build it in! 
> http://www.jabber.com/osdn/xim
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users