[Snort-users] IP Question Part 2

Jim Gifford maillist at ...6454...
Wed Aug 7 22:17:01 EDT 2002


My original question was how can I prevent my companies VPN server showing
up
in snort?

I have added the rule
pass tcp (inet_ip) any <> (vpn_ip) any

But I still get the following message from snort.
" spp_stream4: TTL EVASION (reassemble) detection"

Here is the packet in question

Generated by ACID v0.9.6b21 on Wed August 07, 2002 22:09:12

----------------------------------------------------------------------------
--
#(1 - 63954) [2002-08-07 12:44:12]  spp_stream4: TTL EVASION (reassemble)
detection
IPv4: (inet_ip) -> (vpn_ip)
      hlen=5 TOS=0 dlen=190 ID=43209 flags=0 offset=0 TTL=48 chksum=34589
TCP:  port=500 -> dport: 80  flags=***AP*** seq=25559302
      ack=83064 off=5 res=0 win=65535 urp=0 chksum=45736
Payload:  length = 150

000 : 01 32 00 00 2C 5B 00 00 0F FA 73 6F E1 44 29 B9   .2..,[....so.D).
010 : 82 21 08 D1 4A C1 A0 8A 17 7F 24 0C EC 07 8F F4   .!..J....$.....
020 : AA DD 44 E4 BD FD 9D 07 88 D6 A7 BB CC 60 E3 D6   ..D..........`..
030 : D4 ED B8 F1 7C 20 A5 3D 46 EC B5 8A 07 2A 44 54   ....| .=F....*DT
040 : 3D DD 08 5B D0 E5 75 1A 37 97 70 6B 1C AF 1F E7   =..[..u.7.pk....
050 : 0D 6B 91 BB B8 4E 52 23 9C 2C 9D 81 37 C8 A1 3A   .k...NR#.,..7..:
060 : F5 C8 5A 21 4D D0 C6 02 3B 51 5E 8B E7 C2 E3 BF   ..Z!M...;Q^.....
070 : D6 63 BE 63 E8 DD 1E 7B 86 34 1F 8B 97 D8 1C AB   .c.c...{.4......
080 : 97 FE 28 A7 9D C9 F7 1B 18 A6 4A 4B 9B 5C E4 8A   ..(.......JK.\..
090 : 63 F9 78 81 4A F7                                 c.x.J.





More information about the Snort-users mailing list