Snort mailing list archives

Previous By Date Next
Previous By Thread Next

FW: Snot based attacks and the -z est option.

From: "larosa, vjay" <larosa_vjay () emc com>
Date: Thu, 25 Apr 2002 12:04:45 -0400
Hello,

I am struggling to understand the stream4 stateless detection in snort. I am
benchmarking NIDS ( snort, and dragon currently, Real Secure, and symantec
next) and I needed to see how each product holds up under the snot attack. I
posted another
e-mail earlier to the list about this subject (attached below), but I am
under the gun to get this testing finished up before the weekend so I
thought that I would mail again. I have snot installed on host A plugged in
to a hub with host B the snot recipient, and Host C the snort sensor. I have
snort running with the following command line,

snort -i eth0 -c /etc/conf/snort.conf -l /var/log/snort -z est

I then run snot with the following command line from Host A, aimed at host
B.

./snot -r snortrules.txt -d 10.10.10.254 -s 10.10.10.0/24 -n 16384

The snortrules.txt file is the snort.conf from above with all of the rules
munged in to one file from the snort sensor, 10.10.10.254 is host B the snot
recipient. 

So I would expect to log only ICMP, and UDP events defined in the
snortrules.txt. All of the TCP events
that are being faked should be ignored. This is not what is happening though
when I run the tests. I am logging the same amount of alerts when I run
snort with and with out the -z est option. So what am I doing wrong here? 

By the way I am running snort 1.8.6 build 105. 

Thanks!

vjl



-----Original Message-----
From: larosa, vjay 
Sent: Wednesday, April 24, 2002 6:59 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Snot based attacks and the -z est option.


Hello,

Could someone set me straight here. I am confused by the snort FAQ. It
states the following about the -z est option,

Begin Quote
"There is a new command line switch that is used in concert with the stream4
code, "-z". The -z switch can take one of two arguments: "est" and "all".
The "all" argument is the default if you don't specify anything and tells
Snort to alert normally. If the -z switch is specified with the "est"
argument, Snort will only alert (for TCP traffic) on streams that have been
established via a three way handshake or streams where cooperative
bidirectional activity has been observed (i.e. where some traffic went one
way and something other than a RST or FIN was seen going back to the
originator). With "-z est" turned on, Snort completely ignores TCP-based
stick/snot "attacks". "
End Quote

So I am under the impression that wen I generate an attack using snot and
snort is running without the "-z est" option it will alert on every alarm
that is matched from the traffic being generated by snot,

but if I start snort with the -z est option on the command line,

snort -i eth0 -c /etc/conf/snort.conf -l /var/log/snort -z est

snort should ignore every single packet because there was no bi-directional
activity seen and no log one single snot based TCP event.

Is this true? Or am I confused.

Thanks!

vjl 

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: