Enterasys Intrusion Prevention System Manual page 250

6.x to 7.x Mappings
Table A-1 6.x to 7.0 Keyword Mapping (continued)
6.x Keyword
TTL
A-56 Keywords/XML Attributes
7.0 XML Attribute
NSC/SC/C/NetworkLayer/log-ttl
Description
Configures the Network Sensor to record any
packet with an IP time-to-live value less than or
equal to the single required argument. The intent
here is to record traceroute packets as well as
attempts to bypass intrusion detection systems
with small TTL settings. When packets are
recorded, the protocol and ports are displayed.
The Network Sensor will report a [LOWTTL-
UDP] or a [LOWTTL-TCP] event if the packet is
UDP or TCP, less than the TTL value and the
destination port is less than 1024. This is to
differentiate possible traceroute attempts to ports
above 1024 with events names such as [TRACE-
TCP] and [TRACE-UDP]. ICMP-based
traceroutes are labeled [TRACE-ICMP]. Finally,
unknown low TTL packets that are not UDP, TCP
or ICMP are labeled [LOWTTL-UNKNOWN].
Basically, low TTL events occur on most
networks and these may be normal network
traffic. For example, here are some low TTL TCP
events that occur whenever a particular cable
modem user checks their POP email. There is no
attack or traceroute here, just poor networking.
Since the low TTL packet was to a high port, the
Network Sensor reports it as a [TRACE-TCP]
event.
Technical Notes
• A common value is 5.
• The maximum value is 10.