RE: I found a bug

["Ronneil Camara" <ronneilc () remingtonltd com>]

Hi Erek,

> -----Original Message-----
> From: Erek Adams [mailto:erek () theadamsfamily net]
> Sent: Monday, April 15, 2002 2:25 PM
> To: Ronneil Camara
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] I found a bug
>
>
> Stream4 introduces a new command line switch: "-z". The -z 
> switch can take one
> of two arguments: "est" and "all". The "all" argument is the 
> default if you
> don't specify anything and tells Snort to alert normally. If 
> the -z switch is
> specified with the "est" argument, Snort will only alert (for 
> TCP traffic) on
> streams that have been established via a three way handshake 
> or streams where

Ok. So this means that flexresp will still be successful if
the session has completed the 3 way handshake. If this is the
case, what should be my flags then? Currently, I'm using A+.

As a result, snort will send a TCP reset after the 3WAY HS.

> cooperative bidirectional activity has been observed (i.e. 
> where some traffic
> went one way and something other than a RST or FIN was seen 
> going back to the
> originator). With "-z est" turned on, Snort completely 
> ignores TCP-based
> stick/snot "attacks".
>
> Make sense?  :)
>
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users