[Snort-users] TTL EVASION

RR rehmanr at ...6488...
Thu Aug 1 11:10:37 EDT 2002

AFAIK this should come from either frag2 or stream4 preprocessors. This is
triggered based upon difference of TTL in a conversation (Correct me if I am
wrong). It may be caused by traceroute command. Try disabling these two
plugins one by one to find out the exact source of the message.

Rafeeq Rehman

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Sheahan,
Paul (PCLN-NW)
Sent: Thursday, August 01, 2002 11:06 AM
To: Snort List (E-mail)
Subject: [Snort-users] TTL EVASION


I just upgraded to Snort 1.8.7 and running on RHLinux 7.0

I'm getting tons of these alerts - "TTL EVASION (reassemble) detection".
What do these indicate and how can I turn this off?


This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list