{SPAM} [Snort-users] spp_stream4: TTL EVASION (reassemble) detection?

Matt Kettler mkettler at ...4108...
Mon Jul 15 12:59:05 EDT 2002


Chris green answered a similar question recently. His advice was:
------------
Add ttl_limit 0


At 02:55 PM 7/15/2002 -0400, bthaler at ...2720... wrote:
>.  I just upgraded my 1.8.6 to 1.8.7, and now I'm getting tons of
>"spp_stream4: TTL EVASION (reassemble) detection "
>
>My snort.conf has:
>preprocessor stream4: detect_scans, disable_evasion_alerts
>
>I assumed that this setting would eliminate these alerts, but it doesn't 
>appear to be working.  The signature does say "reassemble",
>but I don't see any similar option for stre





More information about the Snort-users mailing list