[Snort-users] Range values for TTL

Fyodor fygrave at ...121...
Sun May 6 15:56:24 EDT 2001

On Mon, May 07, 2001 at 01:08:56AM +0800, Tan Chee Leong wrote:
> Hi,
> A question about rule-making.  It doesn't seem possible to set a range of
> TTL values to check.  Did I miss out something?  If it is really not
> possible, can it be considered in the next version?  This may be very
> helpful in identifying the platform of the intruder.
> Pardon me if I have been ignorant in the first place.

We had 'ttl: < 5;' and 'ttl: > 6' support before. I just
added support for : 'ttl: 5-10' (or even 'ttl: - 5;' or
'ttl: 5 -;' which is equal to '0-5' and '5-255' range), let
me know if that's enough for your needs.. :-) 

You will need to cvsup current cvs tree. (or wait a day and
fetch http://snort.sourceforge.net/snort-daily.tar.gz :))


More information about the Snort-users mailing list