[Snort-devel] Removal of flags A+ in favor of established

Kreimendahl, Chad J Chad.Kreimendahl at ...1167...
Tue May 21 15:13:02 EDT 2002


Running 147 on all 10 of our interfaces, and in the span of 4 hours have 512
of the
(spp_stream4) TTL EVASION (reassemble) detection.

Most of the src_ip come from our department's VLAN.  The rest are inbound
data to our proxy servers.  Should this one also only alert if no
disable_evasion_alerts?

In looking at the code for this rule, it looks like it's comparing the TTL
for the first packet with the TTL for the current packet, and if it's
greater than a ttl_limit that is set... Then it alerts.  Is that assumption
correct?  So is the default ttl_limit 1? And do you think that simply
setting ttl_limit to something like 2 or 3 or more will solve this problem?

Will changing this number to something greater than 1 cause any problems
with any other settings within stream4... Or cause stream4 to disregard
anything else?



-----Original Message-----
From: Chris Green [mailto:cmg at ...402...] 
Sent: Tuesday, May 21, 2002 11:11 AM
To: Kreimendahl, Chad J
Cc: 'snort-devel at lists.sourceforge.net'
Subject: Re: [Snort-devel] Removal of flags A+ in favor of established


"Kreimendahl, Chad J" <Chad.Kreimendahl at ...1167...> writes:

> Intially it was just web traffic coming back from a website into our 
> proxy. I just now saw the first one of those appear without having to 
> start snort. Came on an SMTP connection with a TTL of 21.

Those will go off in normal traffic if a route drastically changes or
something like that.

The case where it's starting out is a bit more worrying to me. I'll take a
gander at it today sometime
-- 
Chris Green <cmg at ...402...>
To err is human, to moo bovine.




More information about the Snort-devel mailing list