[Snort-devel] Removal of flags A+ in favor of established

Kreimendahl, Chad J Chad.Kreimendahl at ...1167...
Tue May 21 09:00:03 EDT 2002

Intially it was just web traffic coming back from a website into our proxy.
I just now saw the first one of those appear without having to start snort.
Came on an SMTP connection with a TTL of 21.

-----Original Message-----
From: Chris Green [mailto:cmg at ...402...] 
Sent: Tuesday, May 21, 2002 10:52 AM
To: Kreimendahl, Chad J
Cc: 'snort-devel at lists.sourceforge.net'
Subject: Re: [Snort-devel] Removal of flags A+ in favor of established

"Kreimendahl, Chad J" <Chad.Kreimendahl at ...1167...> writes:

> When I first start up snort on a large pipe, I'll get a few of these.  
> It's a short burst of them (10-20 in my tests), that doesn't happen 
> again (or hasn't happened again in the 10 minutes I've had it 
> running).

Hrm.  It'd be itneresting to see whats causing those because the first
packets should set the ttl and then only check for a diffence of them.

What kind of traffic do they alert on at first?
Chris Green <cmg at ...402...>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod

More information about the Snort-devel mailing list