Jon wrote:

>On Tue, Feb 11, 2003 at 08:17:14AM +1100, Hall, Andrew (DPRS) wrote:
>
>
>>Jon,
>>
>>If you are seeing something the TTL decement all the way to 1 then you
>>probably have a routing loop. Ie are the destinations actually used in
>>your address space? If not, what can happen is that your border router
>>will route the address into your network, while your next device inside
>>the border router will route it back by its default route.
>>
>>Just something to check.
>>
>>
>
>My bad -- I should've been a bit more clear.
>
>The default TTL limit for Snort's stream4 preprocessor looks to be 5.
>Expiration in the context of stream4's TTL doesn't mean it dropped to 1,
>but rather "oh my, thats low. you might want to check that out".
>
>It was pure luck that stream4 first picked up on these packets. The ones
>that I'm catching now have believable TTLs, and are originating from well
>known/used ports like 22,25,80.
>

ttl_limit defines the acceptable ttl variance for a given session.
so in english, if a ttl changes more than ttl_limit in a given session
then you will get an alert.

if you have asymetric routes or the upstream or the endpoint or you have
dynamic load balancing... you can see a bunch of these.

either increase the limit to be more appropriate for the environment or
disable it by setting it to 0

>
>Thanks,
>
>-jon
>
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]