Snort mailing list archives

Re: [Snort-devel] snort stateful inspection testing

From: Michael Scheidell <scheidell () secnap net>
Date: Sat, 16 Mar 2002 10:53:03 -0500 (EST)


Now without the '-z' options the alert is obviously triggered but 
with -z est the alert is triggered only the first time I simulate
the connection! The second time, with different random sequence 
numbers, snort is silent, and so on until I restart the process.


if memory serves me, the -zest option is supposed to block a DOS attack
(caused by multiple spoofed ip connections)

so, -zest worked?
you forged a tcp connection, and snort only alerted on the first one?

"You must be,'said the Cat,'or you wouldn't have come here."


-- 
Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell () secnap net
http://www.secnap.net/


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort stateful inspection testing Andrea Barisani (Mar 16)
- Ignore portscan from dynamic IP Dan McIntosh (Mar 16)
- Message not available
  - Re: [Snort-devel] snort stateful inspection testing Andrea Barisani (Mar 17)
- Re: [Snort-devel] snort stateful inspection testing Michael Scheidell (Mar 21)
  - Re: [Snort-devel] snort stateful inspection testing Andrea Barisani (Mar 17)