How could this be done?

By manipulating the TTL on a TCP packet, an attacker could desynchronize inspection. Signature 1308 (TTL evasicn) fires when the TTL for any packet in a TCP session is higher than the lowest- observed TTL for that session. Signature 1308 rewrites all TTLs to the lowest-observed TTL, and produces an alert. You would like to have the signature continue to modify packets inline but avoid generating alerts.

How could this be done?

By manipulating the TTL on a TCP packet, an attacker could desynchronize inspection. Signature 1308 (TTL evasicn) fires when the TTL for any packet in a TCP session is higher than the lowest- observed TTL for that session. Signature 1308 rewrites all TTLs to the lowest-observed TTL, and produces an alert. You would like to have the signature continue to modify packets inline but avoid generating alerts.

How could this be done?

A.
Remove the Produce Alert action from the signature.

B.
Create an Event Variable.

C.
Create an Event Action Override that is based on the Produce Alert action.

D.
This cannot be done; an alert is always generated when a signature fires



Leave a Reply 0

Your email address will not be published. Required fields are marked *