[Snort-users] Question for Snort gurus re: TTL and intercepted communications

jeffs at ...1936... jeffs at ...1936...
Thu Jul 1 09:34:00 EDT 2004


I'm wondering if there might be a method to determine of a data stream has been intercepted or sidetracked by looking at the TTL values or other values in a datastream.  Of course TTL is relative and wouldn't in and of itself tell if a data stream has been intercepted, but I'm wondering if one could build a model whereby you could use a baseline refernce of TTL pulled off a tracerroute or something like that and then compare some values from a seperate, baseline value from a third party application between server and client, to compare said values against values analyzed by snort.

Just an idea.

Looking for suggestions.

J.






More information about the Snort-users mailing list