[Snort-users] lots of ttl evasion attempt alerts snort 1.8.7

David E. Gianndrea daveg at ...4357...
Fri Jul 12 12:02:11 EDT 2002


Chris Green wrote:
> 
> Michael Scheidell <scheidell at ...5171...> writes:
> 
> > I won't say BILLIONS, but 200 more of these in 21 hours of running snort
> > 1.8.7 vs 1.8.6beta6.
> >
> > starting snort thus:
> > /usr/local/bin/snort -doDI -m 022 -z \
> > -c /usr/local/etc/snort.conf -i rl0 -l /var/log/snort
> >
> > system is FBSD 4.5.
> >
> > I did not change my snort.conf:
> > preprocessor frag2
> > preprocessor stream4: noinspect, disable_evasion_alerts
> 
> Add ttl_limit 0
> 

Would somebody please explain this change. I too have been seeing
these alerts, but im not quite sure I understand what they are, and
what the effect of this change are.


-- 
David Gianndrea
Senior Network Engineer
Comsquared Systems, Inc.




More information about the Snort-users mailing list