tcpdump and snort report 2 different TTL values

[Safka <safka () triad rr com>]

I am working on creating a set of custom rules for Grim's Ping. The
default ttl value in the tool is 255. I am running Snort version
1.8.4-beta5 (Build 98).

I am running the tool from W2k with a linux target running tcpdump
writing out to a file.

When I read the file back in using tcpdump, i see the ttl value of 128
(both hosts are on the same segment). 

When I read the file using Snort I get 2 alerts - one with the tool's
TTL value of 255 and one with the w2k ttl of 128. I can live with this
however I was wondering why this behavior is occuring.

Any thoughts ?

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] GrimsPing login attempt [**]
03/22-14:12:34.989696 0:4:5A:C:63:B1 -> 0:0:0:0:0:1 type:0x800 len:0x4D
192.168.1.251:1333 -> 192.168.1.4:21 TCP TTL:128 TOS:0x0 ID:3540
IpLen:20 DgmLen:63 DF
***AP*** Seq: 0xCCE55378  Ack: 0xC469F1B3  Win: 0x43F9  TcpLen: 20
50 41 53 53 20 4D 67 70 75 73 65 72 40 68 6F 6D  PASS Mgpuser@hom
65 2E 63 6F 6D 0D 0A                             e.com..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] GrimsPing login attempt [**]
03/22-14:12:34.989696 192.168.1.251:1333 -> 192.168.1.4:21 TCP TTL:255
TOS:0x10 ID:0 IpLen:20 DgmLen:63
***AP*** Seq: 0x7853E5CC  Ack: 0x7853E5CC  Win: 0x16D0  TcpLen: 20
50 41 53 53 20 4D 67 70 75 73 65 72 40 68 6F 6D  PASS Mgpuser@hom
65 2E 63 6F 6D 0D 0A                             e.com..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users