At 03:43 PM 11/18/2004, Nigel Houghton wrote:
On 0, Russell Fulton <r.fulton@auckland.ac.nz> allegedly wrote:
> Hi Folks,
> I'll try this one again, I posted this query a few weeks ago to the
> support list without receiving a responses.
>
> The subject really says it all, just what triggers this alert from the
> plugin?
http://www.snort.org/snort-db/sid.html?sid=111:15
> I have recently installed snort on the inside of our campus network and
> have noticed that traffic from our dial in pool often trigger this alert
> and I am puzzled as to why.
Weird TTL values.
More specifically, it's trying to look for TTL values that change over a
session. Something that should not happen in a legitimate session unless
significant routing changes occur due to a downed router somewhere. This
kind of thing can and does happen in the real world, but it should not be
all that often.
However, someone trying to do blind TCP session hijacking would also be
likely to trigger this.
Looking at the code, it would appear that by default if any packet in a
session has a TTL that is more than 5 hops different than the TTL of the
initial packet, this alert is triggered.
The default limit in TTL variation can be changed using the ttl_limit
parameter to stream4.
-------------------------------------------------------
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
