[Snort-devel] Removal of flags A+ in favor of established

Kreimendahl, Chad J Chad.Kreimendahl at ...1167...
Tue May 21 15:13:02 EDT 2002

Running 147 on all 10 of our interfaces, and in the span of 4 hours have 512
of the
(spp_stream4) TTL EVASION (reassemble) detection.

Most of the src_ip come from our department's VLAN.  The rest are inbound
data to our proxy servers.  Should this one also only alert if no

In looking at the code for this rule, it looks like it's comparing the TTL
for the first packet with the TTL for the current packet, and if it's
greater than a ttl_limit that is set... Then it alerts.  Is that assumption
correct?  So is the default ttl_limit 1? And do you think that simply
setting ttl_limit to something like 2 or 3 or more will solve this problem?

Will changing this number to something greater than 1 cause any problems
with any other settings within stream4... Or cause stream4 to disregard
anything else?

-----Original Message-----
From: Chris Green [mailto:cmg at ...402...] 
Sent: Tuesday, May 21, 2002 11:11 AM
To: Kreimendahl, Chad J
Cc: 'snort-devel at lists.sourceforge.net'
Subject: Re: [Snort-devel] Removal of flags A+ in favor of established

"Kreimendahl, Chad J" <Chad.Kreimendahl at ...1167...> writes:

> Intially it was just web traffic coming back from a website into our 
> proxy. I just now saw the first one of those appear without having to 
> start snort. Came on an SMTP connection with a TTL of 21.

Those will go off in normal traffic if a route drastically changes or
something like that.

The case where it's starting out is a bit more worrying to me. I'll take a
gander at it today sometime
Chris Green <cmg at ...402...>
To err is human, to moo bovine.

More information about the Snort-devel mailing list