[Snort-users] lots of ttl evasion attempt alerts snort 1.8.7
erek at ...577...
Fri Jul 12 12:21:26 EDT 2002
On Fri, 12 Jul 2002, David E. Gianndrea wrote:
> > Add ttl_limit 0
> Would somebody please explain this change. I too have been seeing
> these alerts, but im not quite sure I understand what they are, and
> what the effect of this change are.
Well, in spp_stream4.c:
151 u_int8_t ttl_limit; /* the largest difference we'll accept in the
152 course of a TTL conversation */
And then from reading on down in the code, it seems as though the ttl_limit is
the amount of difference in ttls on packets that form a 'conversation'. With
the limit at 0, it doesn't care about them.
If I'm not right, I'm sure someone will correct me! :) Or at least I hope
they do!! ;-)
More information about the Snort-users