[Snort-users] stream4 and min_ttl option
Andrew R. Baker
andrewb at ...950...
Tue Oct 29 13:41:02 EST 2002
Cloppert, Michael wrote:
> I have the following line in my snort.conf:
> preprocessor stream4: min_ttl $MIN_TTL,detect_scans,disable_evasion_alerts
> And when I try to start snort, I get the following error:
> ERROR: Unknown stream4 options: min_ttl
> Fatal Error, Quitting..
> I thought this was available... everything I can find acknowledges it as a
> legitimate switch. Anyone have any ideas or has anyone else seen this?
There is a global min_ttl option that allows you to tell Snort to reject
all packets with an IP ttl less than that. There is also a ttl_limit
option for stream4 that specifies the max difference in ttls acceptable
for a particular stream. Frag2 also has a min_ttl argument. Which one
you really want, I cannot tell without knowing what you are trying to do.
PS. There *is* a min_ttl value in the stream4 code and it will report
the value in the startup messaged, but it is not actually used anywhere
that I can find.
More information about the Snort-users