[Snort-devel] Removal of flags A+ in favor of established

Chris Green cmg at ...402...
Tue May 21 15:51:02 EDT 2002

"Kreimendahl, Chad J" <Chad.Kreimendahl at ...1167...> writes:

> Running 147 on all 10 of our interfaces, and in the span of 4 hours have 512
> of the
> (spp_stream4) TTL EVASION (reassemble) detection.
> Most of the src_ip come from our department's VLAN.  The rest are inbound
> data to our proxy servers.  Should this one also only alert if no
> disable_evasion_alerts?

That should only go off if ttl_limit is not 0.  Confusing I know.
Redesign options sometime in the future I shall.

> In looking at the code for this rule, it looks like it's comparing the TTL
> for the first packet with the TTL for the current packet, and if it's
> greater than a ttl_limit that is set... Then it alerts.  Is that assumption
> correct?  So is the default ttl_limit 1? And do you think that simply
> setting ttl_limit to something like 2 or 3 or more will solve this
> problem?

default it's set to 5;

> Will changing this number to something greater than 1 cause any problems
> with any other settings within stream4... Or cause stream4 to disregard
> anything else?

no, it just generates alerts there. If it isn't enabled, the packets
will be processed normally ( or atleast it should -- I'll go take
another look at it tongith )
Chris Green <cmg at ...402...>
I've had a perfectly wonderful evening. But this wasn't it.
     -- Groucho Marx

More information about the Snort-devel mailing list