Snort mailing list archives
RE: Snot based attacks and the -z est option.
From: counter.spy () gmx de
Date: Thu, 25 Apr 2002 22:03:32 +0200 (MEST)
Vjay, I also have run tests with snot-0.92a recently, and I found both snort and ISS RealSecure 6.5 could be flooded with snot garbage so an analyst would have a hard time figuring out if there's a real attack within all that garbage. [...]
So I would expect to log only ICMP, and UDP events defined in the snortrules.txt. All of the TCP events that are being faked should be ignored.
[...] Yep, I that's what I thought, too. [...]
This is not what is happening though when I run the tests. I am logging the same amount of alerts when I run snort with and with out the -z est option. So what am I doing wrong here?
[...] Well, maybe not exactly the same amount, but not much less and not all ICMP and UDP. I can totally confirm your results, but I must admit that I haven't done in-depth analysis of which kind of out-of-band TCP attacks get filtered by the z -est and which not. I would be interested if anyone else can confirm this, since I had posted a similar mail some weeks ago and at that time still thought I had done anything wrong. But having run those tests repeatedly I think now I can be sure that this is the way things are. Hope that helps! -Detmar -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snot based attacks and the -z est option. larosa, vjay (Apr 24)
- <Possible follow-ups>
- FW: Snot based attacks and the -z est option. larosa, vjay (Apr 25)
- RE: Snot based attacks and the -z est option. counter . spy (Apr 25)
- Re: Snot based attacks and the -z est option. Chris Green (Apr 26)
- Re: Snot based attacks and the -z est option. counter . spy (Apr 26)
- Re: Snot based attacks and the -z est option. Chris Green (Apr 26)
- Re: Snot based attacks and the -z est option. Chris Green (Apr 26)
- RE: Snot based attacks and the -z est option. larosa, vjay (Apr 25)
- RE: Snot based attacks and the -z est option. larosa, vjay (Apr 26)
- Re: Snot based attacks and the -z est option. Chris Green (Apr 26)
- RE: Snot based attacks and the -z est option. larosa, vjay (Apr 26)
- RE: Snot based attacks and the -z est option. larosa, vjay (Apr 26)