[Snort-users] Question for Snort gurus re: TTL and intercepted communications

Keith W. McCammon mccammon at ...11827...
Thu Jul 1 10:18:13 EDT 2004

You can do this to some degree, but it's generally only accurate if
you're on a static network or the like.

Datagrams routed via public networks may take alternatate paths
occassionally, or on a regular basis depending on your situation.  And
if you tried to use the baseline method (last time datagrams from
Server_A arrived with TTL X and this time they arrived with TTL X-N,
so alert) you'd probably have to be very patient and fairly lucky to
catch someone in the act, as it would be almost impossible to verify
an interception using this method alone.

If this is a concern, there are typically a few ways to deal with it:

1) Build out a private network.  This allows you to reduce the
exposure to attack, and might also provide a less dynamic environment,
which would be better suited to the type of detection methods that you

2) Use IPSec, SSH, SSL or some other encryption-based technology to
protect data in transit.  In you're pretty aggressive with your
implementation, you can regenerate session keys fast enough that it
would take a pretty disgusting amount of computing power to gain
access to the information in a worthwhile amount of time.

3) Some combination of the two.

On Thu, 01 Jul 2004 16:33:17 +0000, jeffs at ...1936...
<jeffs at ...1936...> wrote:
> I'm wondering if there might be a method to determine of a data stream has been intercepted or sidetracked by looking at the TTL values or other values in a datastream.  Of course TTL is relative and wouldn't in and of itself tell if a data stream has been intercepted, but I'm wondering if one could build a model whereby you could use a baseline refernce of TTL pulled off a tracerroute or something like that and then compare some values from a seperate, baseline value from a third party application between server and client, to compare said values against values analyzed by snort.
> Just an idea.
> Looking for suggestions.
> J.
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> digital self defense, top technical experts, no vendor pitches,
> unmatched networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list