ttl

The ttl rule option is used to check that the IP time-to-live (TTL) value in the IP header is less than, greater than, equal to, not equal to, less than or equal to, or greater than or equal to a specified integer value. This rule option can also check that the header's TTL value is between a range of numbers, using the <> range operator for an exclusive range check or the <=> for an inclusive one.

Format:

Single value comparision:

ttl:[<|>|=|!|<=|>=]ttl;

Range comparison:

ttl:ttl_min{<>|<=>}ttl_max;

Examples:

# Check that the TTL equals 64
ttl:64;

# Check that the TTL does not equal 64
ttl:!64;

# Check that the TTL is less than 3 
ttl:<3;

# Check that the TTL is between 3 and 5 (inclusive)
ttl:3<=>5;

# Check that the TTL is equal to 5
ttl:=5;

Snort 3 Rule Writing Guide

ttl

Format:

Single value comparision:

Range comparison:

Examples: