[Snort-users] min-ttl & ttl_limit

Patrice.Arnal at ...4604... Patrice.Arnal at ...4604...
Fri Jul 25 06:04:02 EDT 2003


What are the defaults values for min_ttl & ttl_limit in strem4 ?

What is the exact meaning of these variables ?

I get a lot (413 since June 6th )  of alerts : 

[**] [111:15:1] (spp_stream4) TTL LIMIT Exceeded [**]
07/23-15:01:31.084367 0:4:9A:F2:63:C1 -> 0:D0:63:87:1C:1C type:0x800 
len:0xC2 -> xxx.yy.zz.tt:443 TCP TTL:9 TOS:0x0 ID:54023 IpLen:20 
DgmLen:180 DF
***AP*** Seq: 0xC2675337 Ack: 0xC078C54 Win: 0x1E04 TcpLen: 20 [Snort log]

and I don't know what to think about. This seems to be legitimate traffic 
to our web server.

These alerts appears by burst of about 50-60. They all come from the same 
source ( Zaire ).

Thank you for helping

Patrice ARNAL

More information about the Snort-users mailing list