[Snort-devel] Removal of flags A+ in favor of established

Kreimendahl, Chad J Chad.Kreimendahl at ...1167...
Tue May 21 08:19:03 EDT 2002


Everything appears wonderful now.  The only thing I notice that anyone may
care about:

(spp_stream4) TTL EVASION (reassemble) detection

When I first start up snort on a large pipe, I'll get a few of these.  It's
a short burst of them (10-20 in my tests), that doesn't happen again (or
hasn't happened again in the 10 minutes I've had it running).

I tested this by starting up 147 on a few of our other interfaces, and had
similar results.  This may just relate to our TTL... Our minTTL is 1 and our
TTL Limit is 5.

-----Original Message-----
From: Chris Green 
Sent: Tuesday, May 21, 2002 9:51 AM
To: Kreimendahl, Chad J
Cc: 'snort-devel at lists.sourceforge.net'
Subject: Re: [Snort-devel] Removal of flags A+ in favor of established

Changed. Disable evasion alerts should do the right thing for you now
-- 
Chris Green <cmg at ...402...>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod




More information about the Snort-devel mailing list