[Snort-users] spp_stream4: TTL EVASION (reassemble) detection

Kevin Peuhkurinen kevinp at ...6884...
Fri Sep 20 10:36:02 EDT 2002


If you add "ttl_limit 0" to the end of your stream4 entry in snort.conf, 
it should silence those alerts.

The problem here is that when stream4 gets the first packet of a TCP 
connection, it captures the initial TTL value.   Then, for every packet 
in that conversation where the TTL value is off by ttl_limit (which 
defaults to 5), it produces this alert.   This is supposed to default 
TTL based evasion techniques.  

So, let us say that you have a persistent TCP connection and at some 
point a router goes down and the traffic starts going a different way 
with an extra 5 hops... this means that every single packet after this 
point is going to generate this alert.

Changing the ttl_limit to 0 will tell stream4 to not bother checking for 
ttl changes.

Kevin






More information about the Snort-users mailing list