Snort mailing list archives
FW: Snot based attacks and the -z est option.
From: "larosa, vjay" <larosa_vjay () emc com>
Date: Thu, 25 Apr 2002 12:04:45 -0400
Hello, I am struggling to understand the stream4 stateless detection in snort. I am benchmarking NIDS ( snort, and dragon currently, Real Secure, and symantec next) and I needed to see how each product holds up under the snot attack. I posted another e-mail earlier to the list about this subject (attached below), but I am under the gun to get this testing finished up before the weekend so I thought that I would mail again. I have snot installed on host A plugged in to a hub with host B the snot recipient, and Host C the snort sensor. I have snort running with the following command line, snort -i eth0 -c /etc/conf/snort.conf -l /var/log/snort -z est I then run snot with the following command line from Host A, aimed at host B. ./snot -r snortrules.txt -d 10.10.10.254 -s 10.10.10.0/24 -n 16384 The snortrules.txt file is the snort.conf from above with all of the rules munged in to one file from the snort sensor, 10.10.10.254 is host B the snot recipient. So I would expect to log only ICMP, and UDP events defined in the snortrules.txt. All of the TCP events that are being faked should be ignored. This is not what is happening though when I run the tests. I am logging the same amount of alerts when I run snort with and with out the -z est option. So what am I doing wrong here? By the way I am running snort 1.8.6 build 105. Thanks! vjl -----Original Message----- From: larosa, vjay Sent: Wednesday, April 24, 2002 6:59 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Snot based attacks and the -z est option. Hello, Could someone set me straight here. I am confused by the snort FAQ. It states the following about the -z est option, Begin Quote "There is a new command line switch that is used in concert with the stream4 code, "-z". The -z switch can take one of two arguments: "est" and "all". The "all" argument is the default if you don't specify anything and tells Snort to alert normally. If the -z switch is specified with the "est" argument, Snort will only alert (for TCP traffic) on streams that have been established via a three way handshake or streams where cooperative bidirectional activity has been observed (i.e. where some traffic went one way and something other than a RST or FIN was seen going back to the originator). With "-z est" turned on, Snort completely ignores TCP-based stick/snot "attacks". " End Quote So I am under the impression that wen I generate an attack using snot and snort is running without the "-z est" option it will alert on every alarm that is matched from the traffic being generated by snot, but if I start snort with the -z est option on the command line, snort -i eth0 -c /etc/conf/snort.conf -l /var/log/snort -z est snort should ignore every single packet because there was no bi-directional activity seen and no log one single snot based TCP event. Is this true? Or am I confused. Thanks! vjl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snot based attacks and the -z est option. larosa, vjay (Apr 24)
- <Possible follow-ups>
- FW: Snot based attacks and the -z est option. larosa, vjay (Apr 25)
- RE: Snot based attacks and the -z est option. counter . spy (Apr 25)
- Re: Snot based attacks and the -z est option. Chris Green (Apr 26)
- Re: Snot based attacks and the -z est option. counter . spy (Apr 26)
- Re: Snot based attacks and the -z est option. Chris Green (Apr 26)
- Re: Snot based attacks and the -z est option. Chris Green (Apr 26)
- RE: Snot based attacks and the -z est option. larosa, vjay (Apr 25)
- RE: Snot based attacks and the -z est option. larosa, vjay (Apr 26)
- Re: Snot based attacks and the -z est option. Chris Green (Apr 26)
- RE: Snot based attacks and the -z est option. larosa, vjay (Apr 26)
- RE: Snot based attacks and the -z est option. larosa, vjay (Apr 26)