[Snort-users] lots of ttl evasion attempt alerts snort 1.8.7

Schroeder, Eric Eric.Schroeder at ...6310...
Fri Jul 12 12:52:09 EDT 2002

Excuse me for not having this entire thread, I just got on this list today.
It's good to know how to disable the alerts, but I've been trying to figure
out what it means, and what causes false alerts.  Here are my stream4
options from snort.conf:

preprocessor stream4: detect_scans memcap 100MB
preprocessor stream4_reassemble: both, ports all

Would someone fill me in on what these really are, and where the various
spp_stream alerts are documented?  Also, has anyone used snort in
conjunction with Shadow?  I currently have one Shadow sensor, and one
management server with Snort/ACID/MySQL which processes the log files after
they are transferred to it.  I was running Snort and Shadow on the same
sensor, but that seemed to cause stability problems.  But I'm wondering what
everyone else thinks of this setup.


-----Original Message-----
From: Michael Scheidell [mailto:scheidell at ...5171...]
Sent: Friday, July 12, 2002 12:25 PM
To: snort-users at lists.sourceforge.net
Cc: Michael Scheidell
Subject: Re: [Snort-users] lots of ttl evasion attempt alerts snort

> Add ttl_limit 0

Thanks for quick reply!
Always a pleasure.. now, does ANYONE know the answer to the bpf problem on

Michael Scheidell
SECNAP Network Security, LLC 
Sales: 866-SECNAPNET / (1-866-732-6276)
Main: 561-368-9561 / www.secnap.net
Positions available see http://www.secnap.net/employment/

This sf.net email is sponsored by:ThinkGeek
Gadgets, caffeine, t-shirts, fun stuff.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list