Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
| GEN:SID | 1:1321 |
| Message | BAD-TRAFFIC 0 ttl |
| Summary | This event is generated when packets on the network have the Time To Live (TTL) set to 0. |
| Impact | Improper use of IP multicasting by an application causing anomalous behaviour on the network. This may have a detrimental effect on network devices. |
| Detailed Information | Under normal circumstances the TTL should not be 0. This may be the result of a poorly designed application sending a TTL of 0 using Winsock. an indicator of unauthorized network use, reconnaisance activity or system compromise. These rules may also generate an event due to improperly configured network devices. |
| Affected Systems | Windows 95 Windows NT 3.5 and 3.51 |
| Attack Scenarios | The application may be using a flaw in some versions of Winsock that allow multicast packets to have a TTL of 0. |
| Ease of Attack | Simple |
| Corrective Action | Apply the appropriate vendor fixes. |
| Additional References | Microsoft: http://support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268 http://support.microsoft.com/default.aspx?scid=kb;EN-US;131978 |
| Rule References | url: support.microsoft.com/default.aspx?scid=kb\ url: www.isi.edu/in-notes/rfc1122.txt |
--
DID:167494
--
http://www.aanval.com/