[Snort-users] stream4 and min_ttl option

Andrew R. Baker andrewb at ...950...
Tue Oct 29 13:41:02 EST 2002

Cloppert, Michael wrote:
> I have the following line in my snort.conf:
> preprocessor stream4: min_ttl $MIN_TTL,detect_scans,disable_evasion_alerts
> And when I try to start snort, I get the following error:
> ERROR: Unknown stream4 options: min_ttl
> Fatal Error, Quitting..
> I thought this was available... everything I can find acknowledges it as a
> legitimate switch.  Anyone have any ideas or has anyone else seen this?

There is a global min_ttl option that allows you to tell Snort to reject 
all packets with an IP ttl less than that.  There is also a ttl_limit 
option for stream4 that specifies the max difference in ttls acceptable 
for a particular stream.  Frag2 also has a min_ttl argument.  Which one 
you really want, I cannot tell without knowing what you are trying to do.


PS.  There *is* a min_ttl value in the stream4 code and it will report 
the value in the startup messaged, but it is not actually used anywhere 
that I can find.

More information about the Snort-users mailing list