How could this be done?

By manipulating the TTL on a TCP packet, an attacker could desynchronize inspection. Signature
1308 (TTL evasion) fires when the TTL for any packet in a TCP session is higher than the lowestobserved TTL for that session. Signature 1308 rewrites all TTLs to the lowest-observed TTL, and
produces an alert. You would like to have the signature continue to modify packets inline but avoid
generating alerts.
How could this be done?

By manipulating the TTL on a TCP packet, an attacker could desynchronize inspection. Signature
1308 (TTL evasion) fires when the TTL for any packet in a TCP session is higher than the lowestobserved TTL for that session. Signature 1308 rewrites all TTLs to the lowest-observed TTL, and
produces an alert. You would like to have the signature continue to modify packets inline but avoid
generating alerts.
How could this be done?

A.
This cannot be done; an alert is always generated when a signature fires.

B.
Create an Event Variable.

C.
Remove the Produce Alert action from the signature.

D.
Create a custom signature with the Meta engine.

E.
Create an Event Action Override that is based on the Produce Alert action.

Show Hint

Leave a Reply 0

Your email address will not be published. Required fields are marked *