Snort mailing list archives
Question for Snort gurus re: TTL and intercepted communications
From: jeffs () speakeasy net
Date: Thu, 01 Jul 2004 16:33:17 +0000
I'm wondering if there might be a method to determine of a data stream has been intercepted or sidetracked by looking at the TTL values or other values in a datastream. Of course TTL is relative and wouldn't in and of itself tell if a data stream has been intercepted, but I'm wondering if one could build a model whereby you could use a baseline refernce of TTL pulled off a tracerroute or something like that and then compare some values from a seperate, baseline value from a third party application between server and client, to compare said values against values analyzed by snort. Just an idea. Looking for suggestions. J. ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question for Snort gurus re: TTL and intercepted communications jeffs (Jul 01)
- Re: Question for Snort gurus re: TTL and intercepted communications Keith W. McCammon (Jul 01)