Cloppert, Michael wrote:
> I have the following line in my snort.conf:
>
> preprocessor stream4: min_ttl $MIN_TTL,detect_scans,disable_evasion_alerts
>
> And when I try to start snort, I get the following error:
>
> ERROR: Unknown stream4 options: min_ttl
> Fatal Error, Quitting..
>
> I thought this was available... everything I can find acknowledges it as a
> legitimate switch. Anyone have any ideas or has anyone else seen this?

There is a global min_ttl option that allows you to tell Snort to reject
all packets with an IP ttl less than that. There is also a ttl_limit
option for stream4 that specifies the max difference in ttls acceptable
for a particular stream. Frag2 also has a min_ttl argument. Which one
you really want, I cannot tell without knowing what you are trying to do.

-A

PS. There *is* a min_ttl value in the stream4 code and it will report
the value in the startup messaged, but it is not actually used anywhere
that I can find.

-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]