How could this be done?

By manipulating the TTL on a TCP packet, an attacker could desynchronize inspection. Signature
1308 (TTL evasicn) fires when the TTL for any packet in a TCP session is higher than the lowestobserved TTL for that session. Signature 1308 rewrites all TTLs to the lowest-observed TTL, and
produces an alert. You would like to have the signature continue to modify packets inline but avoid
generating alerts.
How could this be done?

By manipulating the TTL on a TCP packet, an attacker could desynchronize inspection. Signature
1308 (TTL evasicn) fires when the TTL for any packet in a TCP session is higher than the lowestobserved TTL for that session. Signature 1308 rewrites all TTLs to the lowest-observed TTL, and
produces an alert. You would like to have the signature continue to modify packets inline but avoid
generating alerts.
How could this be done?

A.
Remove the Produce Alert action from the signature.

B.
Create an Event Variable.

C.
Create an Event Action Override that is based on the Produce Alert action.

D.
This cannot be done; an alert is always generated when a signature fires



Leave a Reply 0

Your email address will not be published. Required fields are marked *