[Snort-devel] fragroute related fixes need testing on real networks

Peter Johnson rottz at ...403...
Mon Apr 22 20:03:02 EDT 2002

Chris Green wrote:
> TCP stream stuff already had the min_ttl option to detect this attack
> so that it will throw away anything underneath that.
After running build 127 this weekend, I saw this.
[**] spp_stream4: TTL EVASION (reassemble) detection [**]
04/21-14:15:08.197485 0:A0:C5:E5:F6:93 -> 0:A0:CC:61:EC:DE type:0x800 
a.b.c.d:8572 -> a.b.c.53:80 TCP TTL:17 TOS:0x0 ID:0 IpLen:20 DgmLen:43
***A*R** Seq: 0xA400514D  Ack: 0x0  Win: 0x0  TcpLen: 20
63 6B 6F                                         cko

Which is traffic to my webserver, which seems odd?
Maybe still needs alittle tweaking. *shrug*
I'm compiling and installing today changes, right now.

> I added this option to frag2
> Also, there is a ttl_limit option to both.  Basically, this will alert
> on anything that is different by more than a certain limit
I don't get much fragmentation on my network, so hopefully others can test.

> The default is 5 picked off the cuff.  Know of any papers that measure
> the avg and std deviation of TTLs on normal internet traffic across a
> large sample and I'll be your buddy.
See if any of these help at all....

> Thanks for your help and patience,
> Chris

No! Thank you for all your work!! :)

More information about the Snort-devel mailing list