RE: Snot based attacks and the -z est option.

["larosa, vjay" <larosa_vjay () emc com>]

I see the same events when running -z est and when not running the -z est. I
am running
snort 1.8.6 build 105. Maybe I am confused with the way that the -z option
works. This is the
situation,

HostA sends thousands of faked snot events with bogus SRC IP's ----> Host B
is the DEST for these events.

Snort is monitoring all of this traffic.

When I run without the -z I would expect to see thousands of TCP faked
events. 

When I use the -z est I would expect to not see any faked TCP events.

Am I understanding this correctly? 


Becuase in either case I am seeing the same amount of events,
not the number of events I would expect to see though. I only pick 
up ~ 100-200 attacks which are mostly ICMP, UDP, 
and a few TCP when either using -z est, or not using the -z est. 

I am beginning to think that it is me doing something wrong. 
I am just not sure what though.

vjl




-----Original Message-----
From: Chris Green [mailto:cmg () sourcefire com]
Sent: Friday, April 26, 2002 10:38 AM
To: counter.spy () gmx de
Cc: snort-users () lists sourceforge net; larosa, vjay
Subject: Re: [Snort-users] Snot based attacks and the -z est option.


counter.spy () gmx de writes:

> Yep, I that's what I thought, too.

When I use -z est, the only alerts I get are from stream4 & from
spp_portscan

Version 1.8.7beta1 (Build 113)

What alerts are you seing?
-- 
Chris Green <cmg () sourcefire com>
Fame may be fleeting but obscurity is forever.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users