[Snort-sigs] new Q signature

Jason security at ...704...
Mon Feb 10 14:51:02 EST 2003


Jon wrote:

>On Tue, Feb 11, 2003 at 08:17:14AM +1100, Hall, Andrew (DPRS) wrote:
>  
>
>>Jon,
>>
>>If you are seeing something the TTL decement all the way to 1 then you
>>probably have a routing loop.  Ie are the destinations actually used in
>>your address space?  If not, what can happen is that your border router
>>will route the address into your network, while your next device inside
>>the border router will route it back by its default route.
>>
>>Just something to check.
>>    
>>
>
>My bad -- I should've been a bit more clear.  
>
>The default TTL limit for Snort's stream4 preprocessor looks to be 5.
>Expiration in the context of stream4's TTL doesn't mean it dropped to 1,
>but rather "oh my, thats low.  you might want to check that out".
>
>It was pure luck that stream4 first picked up on these packets.  The ones
>that I'm catching now have believable TTLs, and are originating from well
>known/used ports like 22,25,80.
>

ttl_limit defines the acceptable ttl variance for a given session.
so in english, if a ttl changes more than ttl_limit in a given session 
then you will get an alert.

if you have asymetric routes or the upstream or the endpoint or you have 
dynamic load balancing... you can see a bunch of these.

either increase the limit to be more appropriate for the environment or 
disable it by setting it to 0

>
>Thanks,
>
>-jon 
>
>  
>






More information about the Snort-sigs mailing list