[Snort-users] Bug/Feature in Snort?

Paul Farley Paul.Farley at ...5111...
Sun Mar 10 16:29:02 EST 2002


There are a few questions centered around that very fact.

1. Why did the ack packet my box returned set off that rule?  The ack
was headed in the wrong direction AND did not have the content specified
in the rule.  I could accept maybe a misconfiguration of HOME_NET as a
cause for the direction of traffic issue, but that packet doesn't have
the content the rule is looking for. 

Ack packet:

02/16-03:25:26.843748 MY.NET.9.170:80 ->
TCP TTL:127 TOS:0x0 ID:49657 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x4A529D53  Ack: 0xE74AC1BC  Win: 0x4428  TcpLen: 20

2. Why the difference between the packet TTL and the TTL reported in the


Paul Farley
EventLevel, Inc.
Paul.Farley at ...5111...
SMS Message: 6784292716 at ...5208...

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Ryan
Sent: Sunday, March 10, 2002 6:56 PM
To: Paul Farley
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Bug/Feature in Snort?

On Sun, 10 Mar 2002, Paul Farley wrote:

> If you observe the TTL values for all three of the alerts, the 1st and
> 3rd packets have a TTL of  115, which is reasonable considering this
> attack originates from Windows hosts, and often the starting TTL value
> for Windows hosts is 128.  The 2nd packet however has a TTL of 255,
> which is inconsistent with the other two packets.  In addition the

Your web server echoed something back from the attempt that set off the
same rule.


Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list