Snort mailing list archives
RE: I found a bug
From: "Ronneil Camara" <ronneilc () remingtonltd com>
Date: Mon, 15 Apr 2002 21:32:42 -0500
Hi Erek,
-----Original Message----- From: Erek Adams [mailto:erek () theadamsfamily net] Sent: Monday, April 15, 2002 2:25 PM To: Ronneil Camara Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] I found a bug Stream4 introduces a new command line switch: "-z". The -z switch can take one of two arguments: "est" and "all". The "all" argument is the default if you don't specify anything and tells Snort to alert normally. If the -z switch is specified with the "est" argument, Snort will only alert (for TCP traffic) on streams that have been established via a three way handshake or streams where
Ok. So this means that flexresp will still be successful if the session has completed the 3 way handshake. If this is the case, what should be my flags then? Currently, I'm using A+. As a result, snort will send a TCP reset after the 3WAY HS.
cooperative bidirectional activity has been observed (i.e. where some traffic went one way and something other than a RST or FIN was seen going back to the originator). With "-z est" turned on, Snort completely ignores TCP-based stick/snot "attacks". Make sense? :) ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- I found a bug Ronneil Camara (Apr 15)
- Re: I found a bug Erek Adams (Apr 15)
- <Possible follow-ups>
- RE: I found a bug Ronneil Camara (Apr 15)