[prev in list] [next in list] [prev in thread] [next in thread] 

List:       intrusions
Subject:    RE: (spp_stream4) TTL LIMIT Exceeded
From:       Darin.MARAIS () cec ! eu ! int
Date:       2002-12-27 11:53:41
[Download RAW message or body]

hi there Johannes, 
thank you for your reply to my question and pointing me back in the correct
direction. 

>>you would not perhaps know what the "default" ttl delta is set at if it is
not specified in the configuration file, would you??

can this value be altered to try dampener the false positives that I
receive, 

if yes, is this syntax below correct?

I presume that this would be placed in the snort.conf and snort would need a
restart

preprocessor stream4: detect_scans, disable_evasion_alerts, ttl_limit ??

best regards
Darin

you said: "If I remember right, this module did compare TTLs across
different
packets of a given connection. The idea is, that these TTLs should
stay constant, unless someone is playing with the packets (e.g.
rerouting, injecting or other nasty stuff).

However, in real live it is not guaranteed that all packets between
two hosts take the same paths. The stream4 module allows you to configure
the 'ttl_limit', which is the maximum TTL delta allowed."

[prev in list] [next in list] [prev in thread] [next in thread]