[Snort-users] Lots of "spp_stream4: TTL EVASION (reasemble) "

Cloppert, Michael Michael.Cloppert at ...5884...
Wed Jul 31 06:44:04 EDT 2002

What I've found helps is if I adjust the (undocumented) ttl_limit option in
the stream4 preprocessor.  I *believe* if you set it to 0, you won't get any
alerts of this nature.  From what I understand, this is the delta between a
"normal" ttl for a TCP conversation and a "skewed" ttl.  For example, my SYN
and SYN-ACK in a TCP handshake may have a ttl of 150 each.  The next ACK has
a ttl of 2.  The delta between these two packets is 148, therefore if my
ttl_limit is set to anything <= 148, this ACK will generate an evasion
alert.  Unfortunately, I've had to set this VERY high to minimize false
positives.  If anyone's had better luck with tweaking these parameters I'd
be interested to hear what's been done, because my ttl_limit of 175 is going
to miss some evasion attempts, without a doubt!  FYI, my stream4 line is:

preprocessor stream4: disable_evasion_alerts,ttl_limit 175


> -----Original Message-----
> From: Augustinho Catto [mailto:Catto at ...6458...]
> Sent: Thursday, July 25, 2002 3:20 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Lots of "spp_stream4: TTL EVASION (reasemble) "
> Dear gurus:
> Since I installed snort 1.87 version I received lots of alerts kind 
> "spp_stream4: TTL EVASION (reassemble) detection ".
> It happened in spite of fact I´ve already set:
> "preprocessor stream4: disable_evasion_alerts" and
> "preprocessor stream4_reassemble: noalerts" in snort.conf.
> In this network exists a "Total Control" which receive dial-up 
> connections.
> How could avoid this false alerts?
> TIA,
> Catto
> Augustinho Valmor CATTO
> CNE - Analista de Suporte 
> UNISINOS - Universidade do Vale do Rio dos Sinos
> Sao Leopoldo - RS - Brasil
> Phone: +55 xx 51 590-8386
> http://www.unisinos.br/institucional/estrutura/
> "From Brazil the land of FIFA worldwide soccer five times 
> championship"
> -------------------------------------------------------
> This sf.net email is sponsored by: Jabber - The world's 
> fastest growing 
> real-time communications platform! Don't just IM. Build it in! 
> http://www.jabber.com/osdn/xim
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list