Option "ttl" exclusive range behavior is non-intuitive
The check for the "ttl" option when a range is specified is very non-intuitive.
ttl:33-64 A packet with TTL of 64 does NOT match. The check in the code (src/detect-ttl.c around line 87) is:
else if (mode == DETECT_TTL_RA && (pttl > dttl1 && pttl < dttl2))
Using ">=" and "<=", respectively -- the inclusive range -- would be much more intuitive (and compatible with snort).
No data to display