RE: Snot based attacks and the -z est option.

[counter.spy () gmx de]

Vjay,
I also have run tests with snot-0.92a recently, and I found both snort and
ISS RealSecure 6.5 could be flooded with snot garbage so an analyst would
have a 
hard time figuring out if there's a real attack within all that garbage.

[...]
> So I would expect to log only ICMP, and UDP events defined in the
> snortrules.txt. All of the TCP events
> that are being faked should be ignored. 
[...]
Yep, I that's what I thought, too.

[...]
> This is not what is happening though
> when I run the tests. I am logging the same amount of alerts when I run
> snort with and with out the -z est option. So what am I doing wrong here? 
[...]
Well, maybe not exactly the same amount, but not much less and not all ICMP
and UDP.
I can totally confirm your results, but I must admit that I haven't done
in-depth
analysis of which kind of out-of-band TCP attacks get filtered by the z -est
and which not.

I would be interested if anyone else can confirm this, since I had posted a
similar mail some weeks ago and at that time still thought I had done
anything wrong.
But having run those tests repeatedly I think now I can be sure that this is
the way things are.

Hope that helps!

-Detmar


-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users