[Snort-devel] Removal of flags A+ in favor of established
Kreimendahl, Chad J
Chad.Kreimendahl at ...1167...
Tue May 21 09:00:03 EDT 2002
Intially it was just web traffic coming back from a website into our proxy.
I just now saw the first one of those appear without having to start snort.
Came on an SMTP connection with a TTL of 21.
From: Chris Green [mailto:cmg at ...402...]
Sent: Tuesday, May 21, 2002 10:52 AM
To: Kreimendahl, Chad J
Cc: 'snort-devel at lists.sourceforge.net'
Subject: Re: [Snort-devel] Removal of flags A+ in favor of established
"Kreimendahl, Chad J" <Chad.Kreimendahl at ...1167...> writes:
> When I first start up snort on a large pipe, I'll get a few of these.
> It's a short burst of them (10-20 in my tests), that doesn't happen
> again (or hasn't happened again in the 10 minutes I've had it
Hrm. It'd be itneresting to see whats causing those because the first
packets should set the ttl and then only check for a diffence of them.
What kind of traffic do they alert on at first?
Chris Green <cmg at ...402...>
"Not everyone holds these truths to be self-evident, so we've worked
up a proof of them as Appendix A." -- Paul Prescod
More information about the Snort-devel