[Snort-sigs] Novice question: Format of ttl option

Magnus Almgren almgren at ...250...
Fri Jan 11 08:40:13 EST 2002


I came across another signature, which might have an error.

The snort rule sid=613 (scan.rules)
  alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"SCAN myscan";
  ttl: >220; ack: 0; flags: S;reference:arachnids,439;
  classtype:attempted-recon; sid:613; rev:1;)

contains the option "ttl: >220". However, the (probably a little bit old)
documentation says (section 2.3.3):

  This rule option is used to set a specific time-to-live value to test
  against. The test it performs is only successful on an
  exact match. This option keyword was intended for use in the detection
  of traceroute attempts.

Is the operator ">" allowed here, as well as for the rule option dsize, or
is it there by mistake?


Thanks again for your clarifications.

Cheers,
Magnus







More information about the Snort-sigs mailing list