[Snort-users] lots of ttl evasion attempt alerts snort 1.8.7

Erek Adams erek at ...577...
Fri Jul 12 12:21:26 EDT 2002

On Fri, 12 Jul 2002, David E. Gianndrea wrote:

> > Add ttl_limit 0
> >
> Would somebody please explain this change. I too have been seeing
> these alerts, but im not quite sure I understand what they are, and
> what the effect of this change are.

Well, in spp_stream4.c:

   151      u_int8_t  ttl_limit; /* the largest difference we'll accept in the
   152                              course of a TTL conversation */

And then from reading on down in the code, it seems as though the ttl_limit is
the amount of difference in ttls on packets that form a 'conversation'.  With
the limit at 0, it doesn't care about them.

If I'm not right, I'm sure someone will correct me! :)  Or at least I hope
they do!!  ;-)


Erek Adams

More information about the Snort-users mailing list