[Snort-users] Range values for TTL
vision at ...4...
Sun May 6 22:28:35 EDT 2001
Thanks Fyodor :)
There were a couple of intrusion events that rely on the TTL field..
IDS3/Traceroute TCP (ttl=1)
IDS29/probe-Queso Fingerprint attempt (ttl>225)
IDS115/Traceroute UDP (ttl=1)
IDS118/Traceroute ICMP (ttl=1)
I think that aside from the special case of traceroute, it would be a bad
idea to create rules based on ttl alone (to do passive os detection for
example).. you would have a steady stream of alerts. passiveOS.pl or some
other post-processing would be better.
On Mon, 7 May 2001, Fyodor wrote:
> On Mon, May 07, 2001 at 01:08:56AM +0800, Tan Chee Leong wrote:
> > Hi,
> > A question about rule-making. It doesn't seem possible to set a range of
> > TTL values to check. Did I miss out something? If it is really not
> > possible, can it be considered in the next version? This may be very
> > helpful in identifying the platform of the intruder.
> > Pardon me if I have been ignorant in the first place.
> We had 'ttl: < 5;' and 'ttl: > 6' support before. I just
> added support for : 'ttl: 5-10' (or even 'ttl: - 5;' or
> 'ttl: 5 -;' which is equal to '0-5' and '5-255' range), let
> me know if that's enough for your needs.. :-)
> You will need to cvsup current cvs tree. (or wait a day and
> fetch http://snort.sourceforge.net/snort-daily.tar.gz :))
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users