[Snort-users] spp_stream4: TTL EVASION (reassemble) detection
kevinp at ...6884...
Fri Sep 20 10:36:02 EDT 2002
If you add "ttl_limit 0" to the end of your stream4 entry in snort.conf,
it should silence those alerts.
The problem here is that when stream4 gets the first packet of a TCP
connection, it captures the initial TTL value. Then, for every packet
in that conversation where the TTL value is off by ttl_limit (which
defaults to 5), it produces this alert. This is supposed to default
TTL based evasion techniques.
So, let us say that you have a persistent TCP connection and at some
point a router goes down and the traffic starts going a different way
with an extra 5 hops... this means that every single packet after this
point is going to generate this alert.
Changing the ttl_limit to 0 will tell stream4 to not bother checking for
More information about the Snort-users