[Snort-devel] Removal of flags A+ in favor of established

Chris Green cmg at ...402...
Tue May 21 08:55:03 EDT 2002


"Kreimendahl, Chad J" <Chad.Kreimendahl at ...1167...> writes:

>
> When I first start up snort on a large pipe, I'll get a few of these.  It's
> a short burst of them (10-20 in my tests), that doesn't happen again (or
> hasn't happened again in the 10 minutes I've had it running).

Hrm.  It'd be itneresting to see whats causing those because the first
packets should set the ttl and then only check for a diffence of
them.

What kind of traffic do they alert on at first?
-- 
Chris Green <cmg at ...402...>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod




More information about the Snort-devel mailing list