Snort mailing list archives
RE: TTL LIMIT Exceeded
From: Alejandro Flores <alejandro.flores () triforsec com br>
Date: Sat, 27 Mar 2004 09:48:25 -0300
Hello there,
These alerts are generated when you have specified the option
'ttl_limit' in your stream4 preprocessor, and a router flap occurs. If
you look in the snort manual, it tells that if you configure this
option, may generate lots of false positives with router flaps.
google "router flap".
Regards,
Alejandro Flores
I'm seeing "(spp_stream4) TTL LIMIT Exceeded {TCP}" alerts in Snort.
Occasionally I see web requests arriving at my web server with a TTL of 5.
Then the following packets decrement down to 4, 3, 2, 1, then zero, which
generates a TTL LIMIT EXCEEDED. Just curious if anyone knows what the intent
would be in purposely send web requests with a low TTL to generate this
message?
Thanks
--TriForSec http://www.triforsec.com.br/
Current thread:
- TTL LIMIT Exceeded Sheahan, Paul (Mar 25)
- RE: TTL LIMIT Exceeded Mark E. Donaldson (Mar 26)
- Re: TTL LIMIT Exceeded Jason (Mar 26)
- RE: TTL LIMIT Exceeded Alejandro Flores (Mar 27)
- RE: TTL LIMIT Exceeded Mark E. Donaldson (Mar 26)