[Snort-users] spp_ttlwatch.c 1.0b1

Dragos Ruiu dr at ...50...
Wed Aug 16 01:22:49 EDT 2000

I've been working on some interesting add-ons for snort....
I will likely be releasing a range of plug-ins to accompany
Fyodor's new plug-in management stuff.... here is the first.

Some discussion got me thinking about traceroutes.
This is a snort preprocessor that will conclusively tell you when
you are being tracerouted or firewalked.

For now, to add it to an existing snort distribution:

-add spp_ttlwatch.c to the list of souce files in the Makefile
-add spp_ttlwatch.o to the list of object files in the Makefile
-add a call to SetupTTLwatch() in InitPreprocessors() in file plugbase.c
-add a line to your rules file that says:

	preprocessor TTLwatch

And you are done.... now whenever you enable this preprocessor
it will keep track of the TTL for any IP address seen in the last hour
and tell you via an alarm whenever the TTL changes on an address.
This will conclusively tell you when and who is tracerouting....
But, you may find the alarming quite noisy.... it's there if you want it.
I wouldn't recommend everyday use of this, but it should be
handy in some high alert level situations.

Enjoy... comments, bug-reports, and feedback welcome.
I would especially welcome any feedback as to how this plug-in 
affects CPU utilization and memory footprint on a loaded 
down link (i.e. what is it with it enabled and without).


P.s.  Caveat.... since it's based on a variant of the defragger this
may also have alignment issues under Solaris... 

dursec.com ltd. / kyx.net - we're from the future    http://www.dursec.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: spp_ttlwatch.c
Type: text/x-c
Size: 10051 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20000815/7c82f99e/attachment.bin>

More information about the Snort-users mailing list