[Snort-users] lots of ttl evasion attempt alerts snort 1.8.7

Michael Scheidell scheidell at ...5171...
Thu Jul 11 14:32:02 EDT 2002


I won't say BILLIONS, but 200 more of these in 21 hours of running snort
1.8.7 vs 1.8.6beta6.

starting snort thus:
/usr/local/bin/snort -doDI -m 022 -z \
-c /usr/local/etc/snort.conf -i rl0 -l /var/log/snort

system is FBSD 4.5.

I did not change my snort.conf:
preprocessor frag2
preprocessor stream4: noinspect, disable_evasion_alerts
preprocessor stream4_reassemble: noalerts

------------------------------------------------------------------------
07/11/02-21:14:17.835920  {TCP} 194.51.131.66:1428 -> 10.1.1.10:25
[**] [111:15:1] spp_stream4: TTL Evasion attempt [**]
[Classification: Not Suspicious Traffic] [Priority: 5]

all destination internal mail server.
various external sources.

46 just from sourceforge alone: (i don't think they really are
spoofing/hacking/scanning)

216.136.171.252

FQDN: usw-sf-fw2.sourceforge.net  ( local whois ) Num of 

1 46 0  2002-07-10 18:11:58  2002-07-11 20:48 

-- 
Michael Scheidell
SECNAP Network Security, LLC 
Sales: 866-SECNAPNET / (1-866-732-6276)
Main: 561-368-9561 / www.secnap.net
Positions available see http://www.secnap.net/employment/




More information about the Snort-users mailing list