Re: Snot attacks and -z est option - regarding FAQ 1.9

[Andrea Barisani <lcars () infis univ trieste it>]

Hi,

On Mon, Mar 25, 2002 at 02:44:30PM +0100, counter.spy () gmx de wrote:
> Another question:
> I have performed some testing with snot-0.92a attacks against snort during
> the last few weeks.
>
> Another issue is that I tried to reduce the alerts that were caused by snot
> by using the
> -z est option. That idea was based on my assumption that snot causes many
> fake connections, i.e. no real connections are established. This did not help,
> I still got most of the alerts. 

I've done some testing too with my 'Firewall Tester' and I've found that with
the -z est option snort never issue an alert on unrelated packets, maybe the
alerts you are seeing are generated by SYN packets and not ACK+ ones. 

Bye

------------------------------------------------------------
INFIS Network Administrator & Security Officer         .*. 
Department of Physics       - University of Trieste    /V\
lcars () infis univ trieste it - PGP Key 0x8E21FE82      (/ \)
----------------------------------------------------  (   )
"How would you know I'm mad?" said Alice.             ^^-^^
"You must be,'said the Cat,'or you wouldn't have come here."
------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users