Snort mailing list archives
Re: [Snort-devel] snort stateful inspection testing
From: Andrea Barisani <lcars () infis univ trieste it>
Date: Sun, 17 Mar 2002 13:38:03 +0100
On Sat, Mar 16, 2002 at 10:53:03AM -0500, Michael Scheidell wrote:
Now without the '-z' options the alert is obviously triggered but with -z est the alert is triggered only the first time I simulate the connection! The second time, with different random sequence numbers, snort is silent, and so on until I restart the process.if memory serves me, the -zest option is supposed to block a DOS attack (caused by multiple spoofed ip connections) so, -zest worked? you forged a tcp connection, and snort only alerted on the first one?"You must be,'said the Cat,'or you wouldn't have come here."
No, the -z flag tells snort to inspect only packets that are part of an established session. My spoofed connection looks like a real one, the -z est switch make snort ignoring packets like a unmatched PSH,ACK (wich is common if you're using tools like stick or snot). This is my understanding of the option, am I right? Bye ------------------------------------------------------------ INFIS Network Administrator & Security Officer .*. Department of Physics - University of Trieste /V\ lcars () infis univ trieste it - PGP Key 0x8E21FE82 (/ \) ---------------------------------------------------- ( ) "How would you know I'm mad?" said Alice. ^^-^^ "You must be,'said the Cat,'or you wouldn't have come here." ------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort stateful inspection testing Andrea Barisani (Mar 16)
- Ignore portscan from dynamic IP Dan McIntosh (Mar 16)
- Message not available
- Re: [Snort-devel] snort stateful inspection testing Andrea Barisani (Mar 17)
- Re: [Snort-devel] snort stateful inspection testing Michael Scheidell (Mar 21)
- Re: [Snort-devel] snort stateful inspection testing Andrea Barisani (Mar 17)