[Snort-devel] Simple TTL of 1 rules do not alert

Previously posted to sigs list but got no response.

These simple traceroute rules do not alert.

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outbound TCP traceroute, TTL=1"; ttl:"|01|"; ip_proto: tcp;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Inbound TCP traceroute, TTL=1"; ttl:"|01|"; ip_proto: tcp;)

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outbound TCP traceroute, TTL=1"; ttl:"|01|"; ip_proto: udp;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"Inbound TCP traceroute, TTL=1"; ttl:"|01|"; ip_proto: udp;)

I've tried using either decimal or hex for the ttl value, quoted and not. And with and without ip_proto defined, but get no alerts.

Test packets were generated with hping:

TCP SYN
hping --destport 21 -S -T x.x.x.x

and UDP
hping --destport 21 -2 -T x.x.x.x

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related snort.org Links snort-announce snort-cvsinfo snort-devel snort-sigs snort-users Request more information about Pantek

(ICMP for traceroute is not an issue because it is blocked at the router.)

Ethereal or tcpdump running on the snort box sees the TTL=1 packets go by, but snort never alerts.

Snort is ver 1.9.0 on Red Hat 8 on a Dell 2550

custom 2.4.20 SMP kernel

Start arguments in /etc/rc.d/init.d/snort:   start)

        echo -n "Starting snort: "
        daemon /usr/local/bin/snort -u snort -g snort -d -D -o -k none \

                -i $INTERFACE -l /var/log/snort -c /etc/snort/snort.conf \


                -m 027 -F /etc/snort/bpf-file -z 


        touch /var/lock/subsys/snort
        echo
        ;;

Preprocessors are:  

preprocessor frag2

preprocessor stream4: detect_scans, disable_evasion_alerts, ttl_limit 0

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related snort.org Links snort-announce snort-cvsinfo snort-devel snort-sigs snort-users Request more information about Pantek

preprocessor stream4_reassemble

preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace

preprocessor rpc_decode: 111 32771

preprocessor bo: -nobrute

preprocessor telnet_decode

preprocessor portscan: $HOME_NET 10 4 portscan.log

preprocessor portscan-ignorehosts:  .....................

output alert_fast: alert

-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup



-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel