Snort mailing list archives
FAQ update regarding -z
From: Jeff Nathan <jeff () snort org>
Date: Mon, 13 May 2002 02:28:01 -0700
Patch attached. Yay!@ -Jeff -- http://jeff.wwti.com (pgp key available) "Common sense is the collection of prejudices acquired by age eighteen." - Albert Einstein
--- doc/FAQ.orig Mon May 13 02:20:38 2002 +++ doc/FAQ Mon May 13 02:25:50 2002 @@ -768,15 +768,14 @@ Reassembly alerts: ACTIVE There is a new command line switch that is used in concert with the - stream4 code, "-z". The -z switch can take one of two arguments: "est" - and "all". The "all" argument is the default if you don't specify - anything and tells Snort to alert normally. If the -z switch is - specified with the "est" argument, Snort will only alert (for TCP - traffic) on streams that have been established via a three way handshake - or streams where cooperative bidirectional activity has been observed - (i.e. where some traffic went one way and something other than a RST or - FIN was seen going back to the originator). With "-z est" turned on, - Snort completely ignores TCP-based stick/snot "attacks". + stream4 code. By default, snort will alert normally and will alert + statelessly. If the -z switch is specified, Snort will only alert + (for TCP traffic) on streams that have been established via a three + way handshake or streams where cooperative bidirectional activity + has been observed (i.e. where some traffic went one way and something + other than a RST or FIN was seen going back to the originator). + With "-z" turned on, Snort completely ignores TCP-based stick/snot + "attacks". 3.15 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq-- Q: Where does one obtain new/modifed rules? How do you merge them in?
Current thread:
- FAQ update regarding -z Jeff Nathan (May 13)