[Snort-users] Bug/Feature in Snort?

Ryan Russell ryan at ...35...
Sun Mar 10 16:00:10 EST 2002


On Sun, 10 Mar 2002, Paul Farley wrote:

>
> If you observe the TTL values for all three of the alerts, the 1st and
> 3rd packets have a TTL of  115, which is reasonable considering this
> attack originates from Windows hosts, and often the starting TTL value
> for Windows hosts is 128.  The 2nd packet however has a TTL of 255,
> which is inconsistent with the other two packets.  In addition the

Your web server echoed something back from the attempt that set off the
same rule.

				Ryan





More information about the Snort-users mailing list