[Snort-users] TTL EVASION

RR rehmanr at ...6488...
Thu Aug 1 11:10:37 EDT 2002


AFAIK this should come from either frag2 or stream4 preprocessors. This is
triggered based upon difference of TTL in a conversation (Correct me if I am
wrong). It may be caused by traceroute command. Try disabling these two
plugins one by one to find out the exact source of the message.

Rafeeq Rehman

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Sheahan,
Paul (PCLN-NW)
Sent: Thursday, August 01, 2002 11:06 AM
To: Snort List (E-mail)
Subject: [Snort-users] TTL EVASION



Hello,

I just upgraded to Snort 1.8.7 and running on RHLinux 7.0

I'm getting tons of these alerts - "TTL EVASION (reassemble) detection".
What do these indicate and how can I turn this off?


Thanks


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list