[Snort-sigs] Simple TTL of 1 rules will not alert

Herman Munster zultan at ...1298...
Fri Feb 14 05:46:04 EST 2003


Anyone else noticed this?

These simple traceroute rules do not alert.

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outbound TCP traceroute, TTL=1"; ttl:"|01|"; ip_proto: tcp;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Inbound TCP traceroute, TTL=1"; ttl:"|01|"; ip_proto: tcp;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outbound TCP traceroute, TTL=1"; ttl:"|01|"; ip_proto: udp;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"Inbound TCP traceroute, TTL=1"; ttl:"|01|"; ip_proto: udp;)


I've tried using either decimal or hex for the ttl value, quoted and not. And with and without ip_proto defined, but get no alerts.

Test packets were generated with hping:

TCP SYN
hping --destport 21 -S -T x.x.x.x

and UDP
hping --destport 21 -2 -T x.x.x.x

(ICMP for traceroute is not an issue because it is blocked at the router.)

Ethereal running on the snort box sees the TTL=1 packets go by, but snort never alerts.



-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup





More information about the Snort-sigs mailing list