Snort mailing list archives
FAQ error? -z est?
From: "Michael Scheidell" <scheidell () secnap net>
Date: Sat, 14 Jan 2006 07:56:32 -0500
Somewhere in the back of my mind, I remember a change in the -z switch to snort. I also seem to remember it being replaced by a snort.conf option. If this is so, could the FAQ and documentation maintainer make changes? Example: http://www.snort.org/docs/faq/1Q05/node47.html#stream4 There is a new command line switch that is used in concert with the stream4 code, ``-z''. The -z switch can take one of two arguments: ``est'' and ``all''. The ``all'' argument is the default if you don't specify anything and tells Snort to alert normally. If the -z switch is specified with the ``est'' argument, Snort will only alert (for TCP traffic) on streams that have been established via a three way handshake or streams where cooperative bidirectional activity has been observed (i.e. where some traffic went one way and something other than a RST or FIN was seen going back to the originator). With ``-z est'' turned on, Snort completely ignores TCP-based stick/snot ``attacks''. -z est doesn't work as of snort ver (2.3?) -z all doesn't work as of snort ver 2.3 Documentation says using -z user default (all) not true? Correct option should be -z enables est mode. -- Michael Scheidell, CTO 561-999-5000, ext 1131 SECNAP Network Security Corporation ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_idv37&alloc_id865&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FAQ error? -z est? Michael Scheidell (Jan 14)
- Home_net Peter J Manis (Jan 14)