[Snort-devel] TTL Evasion

Chris Green cmg at ...402...
Thu Sep 19 06:26:03 EDT 2002

"Sam Ng" <sng at ...1047...> writes:

> Here is the code for TTL Evasion
> I think may be we should not detect the variation in the TTL, instead,
> may be we should be alerted only if the ip_ttl is very small, say 1 or
> 2, cause this is the case the TCP reassemble will be out of sync with
> the destination (or being confused).

Look at 1.9, we only alert when it's lower than 10 to avoid just plain
normal variations in TTL changes.

Perhaps that should be even lower
Chris Green <cmg at ...402...>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod

More information about the Snort-devel mailing list