flexresp3: Reset with TTL of 0

[Jim Hranicky <jfh () ufl edu>]

We're currently testing out flexresp3. We have a snort box in IDS mode 
with the following config: 

  eth0   : management interface
  eth1   : reset interface
  eth2   : sniffing interface

  snort: 2.9.0/daq-0.2

From snort.conf: 

  config response: device eth1 attempts 10
  preprocessor stream5_global: max_tcp 8192, memcap 104857600, track_tcp yes, \
                              track_udp no, max_active_responses 10, \
                              min_response_seconds 1

Our rule is like so: 

  alert tcp $HOME_NET any -> [XX.XX.XX.0/24] $HTTP_PORTS 
  (msg:"UFOISC reset test"; classtype:trojan-activity; sid:9000092; 
  resp:reset_XXXX; )

I've tried 'reset_both' and 'reset_dest' . 

Preliminary tests were not seeing the resets reach the test machine that
was tripping the rule. Sniffing on the reset interface, I found that the 
reset attempts were going out, but the TTL is 0 (see attached). 

I've tried compiling with and without --enable-ipv6 but the result is
the same. 

Has anyone else seen this behavior? I've likely missed a step somewhere. 

I'll be glad to supply more info if needed. 

-- 
Jim Hranicky
IT Security Engineer
Office of Information Security and Compliance
University of Florida

Attachment: rst.txt
Description:

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users