GEN:SID 1:1321
Message BAD-TRAFFIC 0 ttl
Summary This event is generated when packets on the network have the Time To
Live (TTL) set to 0.
Impact Improper use of IP multicasting by an application causing anomalous
behaviour on the network. This may have a detrimental effect on network
devices.
Detailed Information Under normal circumstances the TTL should not be 0.

This may be the result of a poorly designed application sending a TTL of 0 using Winsock.

an indicator of unauthorized network use, reconnaisance activity or
system compromise. These rules may also generate an event due to
improperly configured network devices.
Affected Systems Windows 95
    Windows NT 3.5 and 3.51
Attack Scenarios The application may be using a flaw in some versions of Winsock that
allow multicast packets to have a TTL of 0.
Ease of Attack Simple
Corrective Action Apply the appropriate vendor fixes.
Additional References Microsoft:
http://support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268
http://support.microsoft.com/default.aspx?scid=kb;EN-US;131978
Rule References url: support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268
url: www.isi.edu/in-notes/rfc1122.txt