[Snort-users] Bug/Feature in Snort?
ryan at ...35...
Sun Mar 10 16:00:10 EST 2002
On Sun, 10 Mar 2002, Paul Farley wrote:
> If you observe the TTL values for all three of the alerts, the 1st and
> 3rd packets have a TTL of 115, which is reasonable considering this
> attack originates from Windows hosts, and often the starting TTL value
> for Windows hosts is 128. The 2nd packet however has a TTL of 255,
> which is inconsistent with the other two packets. In addition the
Your web server echoed something back from the attempt that set off the
More information about the Snort-users