[Snort-devel] Removal of flags A+ in favor of established
cmg at ...402...
Tue May 21 15:51:02 EDT 2002
"Kreimendahl, Chad J" <Chad.Kreimendahl at ...1167...> writes:
> Running 147 on all 10 of our interfaces, and in the span of 4 hours have 512
> of the
> (spp_stream4) TTL EVASION (reassemble) detection.
> Most of the src_ip come from our department's VLAN. The rest are inbound
> data to our proxy servers. Should this one also only alert if no
That should only go off if ttl_limit is not 0. Confusing I know.
Redesign options sometime in the future I shall.
> In looking at the code for this rule, it looks like it's comparing the TTL
> for the first packet with the TTL for the current packet, and if it's
> greater than a ttl_limit that is set... Then it alerts. Is that assumption
> correct? So is the default ttl_limit 1? And do you think that simply
> setting ttl_limit to something like 2 or 3 or more will solve this
default it's set to 5;
> Will changing this number to something greater than 1 cause any problems
> with any other settings within stream4... Or cause stream4 to disregard
> anything else?
no, it just generates alerts there. If it isn't enabled, the packets
will be processed normally ( or atleast it should -- I'll go take
another look at it tongith )
Chris Green <cmg at ...402...>
I've had a perfectly wonderful evening. But this wasn't it.
-- Groucho Marx
More information about the Snort-devel