Snort mailing list archives
tcpdump and snort report 2 different TTL values
From: Safka <safka () triad rr com>
Date: 22 Mar 2002 16:42:13 -0500
I am working on creating a set of custom rules for Grim's Ping. The default ttl value in the tool is 255. I am running Snort version 1.8.4-beta5 (Build 98). I am running the tool from W2k with a linux target running tcpdump writing out to a file. When I read the file back in using tcpdump, i see the ttl value of 128 (both hosts are on the same segment). When I read the file using Snort I get 2 alerts - one with the tool's TTL value of 255 and one with the w2k ttl of 128. I can live with this however I was wondering why this behavior is occuring. Any thoughts ? =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] GrimsPing login attempt [**] 03/22-14:12:34.989696 0:4:5A:C:63:B1 -> 0:0:0:0:0:1 type:0x800 len:0x4D 192.168.1.251:1333 -> 192.168.1.4:21 TCP TTL:128 TOS:0x0 ID:3540 IpLen:20 DgmLen:63 DF ***AP*** Seq: 0xCCE55378 Ack: 0xC469F1B3 Win: 0x43F9 TcpLen: 20 50 41 53 53 20 4D 67 70 75 73 65 72 40 68 6F 6D PASS Mgpuser@hom 65 2E 63 6F 6D 0D 0A e.com.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] GrimsPing login attempt [**] 03/22-14:12:34.989696 192.168.1.251:1333 -> 192.168.1.4:21 TCP TTL:255 TOS:0x10 ID:0 IpLen:20 DgmLen:63 ***AP*** Seq: 0x7853E5CC Ack: 0x7853E5CC Win: 0x16D0 TcpLen: 20 50 41 53 53 20 4D 67 70 75 73 65 72 40 68 6F 6D PASS Mgpuser@hom 65 2E 63 6F 6D 0D 0A e.com.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- tcpdump and snort report 2 different TTL values Safka (Mar 27)