[Snort-sigs] new Q signature
security at ...704...
Mon Feb 10 14:51:02 EST 2003
>On Tue, Feb 11, 2003 at 08:17:14AM +1100, Hall, Andrew (DPRS) wrote:
>>If you are seeing something the TTL decement all the way to 1 then you
>>probably have a routing loop. Ie are the destinations actually used in
>>your address space? If not, what can happen is that your border router
>>will route the address into your network, while your next device inside
>>the border router will route it back by its default route.
>>Just something to check.
>My bad -- I should've been a bit more clear.
>The default TTL limit for Snort's stream4 preprocessor looks to be 5.
>Expiration in the context of stream4's TTL doesn't mean it dropped to 1,
>but rather "oh my, thats low. you might want to check that out".
>It was pure luck that stream4 first picked up on these packets. The ones
>that I'm catching now have believable TTLs, and are originating from well
>known/used ports like 22,25,80.
ttl_limit defines the acceptable ttl variance for a given session.
so in english, if a ttl changes more than ttl_limit in a given session
then you will get an alert.
if you have asymetric routes or the upstream or the endpoint or you have
dynamic load balancing... you can see a bunch of these.
either increase the limit to be more appropriate for the environment or
disable it by setting it to 0
More information about the Snort-sigs