[Snort-users] lots of ttl evasion attempt alerts snort 1.8.7

Erek Adams erek at ...577...
Fri Jul 12 12:21:26 EDT 2002


On Fri, 12 Jul 2002, David E. Gianndrea wrote:

> > Add ttl_limit 0
> >
>
> Would somebody please explain this change. I too have been seeing
> these alerts, but im not quite sure I understand what they are, and
> what the effect of this change are.

Well, in spp_stream4.c:

   151      u_int8_t  ttl_limit; /* the largest difference we'll accept in the
   152                              course of a TTL conversation */


And then from reading on down in the code, it seems as though the ttl_limit is
the amount of difference in ttls on packets that form a 'conversation'.  With
the limit at 0, it doesn't care about them.

If I'm not right, I'm sure someone will correct me! :)  Or at least I hope
they do!!  ;-)

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list