Snort mailing list archives
RE: Lots of "spp_stream4: TTL EVASION (reasemble) "
From: "Cloppert, Michael" <Michael.Cloppert () 53 com>
Date: Wed, 31 Jul 2002 09:42:58 -0400
What I've found helps is if I adjust the (undocumented) ttl_limit option in the stream4 preprocessor. I *believe* if you set it to 0, you won't get any alerts of this nature. From what I understand, this is the delta between a "normal" ttl for a TCP conversation and a "skewed" ttl. For example, my SYN and SYN-ACK in a TCP handshake may have a ttl of 150 each. The next ACK has a ttl of 2. The delta between these two packets is 148, therefore if my ttl_limit is set to anything <= 148, this ACK will generate an evasion alert. Unfortunately, I've had to set this VERY high to minimize false positives. If anyone's had better luck with tweaking these parameters I'd be interested to hear what's been done, because my ttl_limit of 175 is going to miss some evasion attempts, without a doubt! FYI, my stream4 line is: preprocessor stream4: disable_evasion_alerts,ttl_limit 175 mike
-----Original Message----- From: Augustinho Catto [mailto:Catto () atlas unisinos br] Sent: Thursday, July 25, 2002 3:20 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Lots of "spp_stream4: TTL EVASION (reasemble) " Dear gurus: Since I installed snort 1.87 version I received lots of alerts kind "spp_stream4: TTL EVASION (reassemble) detection ". It happened in spite of fact I´ve already set: "preprocessor stream4: disable_evasion_alerts" and "preprocessor stream4_reassemble: noalerts" in snort.conf. In this network exists a "Total Control" which receive dial-up connections. How could avoid this false alerts? TIA, Catto Augustinho Valmor CATTO CNE - Analista de Suporte UNISINOS - Universidade do Vale do Rio dos Sinos Sao Leopoldo - RS - Brasil Phone: +55 xx 51 590-8386 http://www.unisinos.br/institucional/estrutura/ "From Brazil the land of FIFA worldwide soccer five times championship" ------------------------------------------------------- This sf.net email is sponsored by: Jabber - The world's fastest growing real-time communications platform! Don't just IM. Build it in! http://www.jabber.com/osdn/xim _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Lots of "spp_stream4: TTL EVASION (reasemble) " Augustinho Catto (Jul 25)
- Re: Lots of "spp_stream4: TTL EVASION (reasemble) " Mark Rowlands (Jul 27)
- <Possible follow-ups>
- RE: Lots of "spp_stream4: TTL EVASION (reasemble) " Cloppert, Michael (Jul 31)