Snort mailing list archives
RE: Snot based attacks and the -z est option.
From: "larosa, vjay" <larosa_vjay () emc com>
Date: Thu, 25 Apr 2002 18:20:08 -0400
I am glad to see that I am not the only person with the problem. I am about to test dragon right now with snot. I think with all of the fragroute hype everyone is busy trying to write code to handle that problem. Hopefully some one will be able to get some time to take a look at our problem in the next few days. Thanks for the response. vjl -----Original Message----- From: counter.spy () gmx de [mailto:counter.spy () gmx de] Sent: Thursday, April 25, 2002 4:04 PM To: snort-users () lists sourceforge net Cc: larosa, vjay Subject: RE: [Snort-users] Snot based attacks and the -z est option. Vjay, I also have run tests with snot-0.92a recently, and I found both snort and ISS RealSecure 6.5 could be flooded with snot garbage so an analyst would have a hard time figuring out if there's a real attack within all that garbage. [...]
So I would expect to log only ICMP, and UDP events defined in the snortrules.txt. All of the TCP events that are being faked should be ignored.
[...] Yep, I that's what I thought, too. [...]
This is not what is happening though when I run the tests. I am logging the same amount of alerts when I run snort with and with out the -z est option. So what am I doing wrong here?
[...] Well, maybe not exactly the same amount, but not much less and not all ICMP and UDP. I can totally confirm your results, but I must admit that I haven't done in-depth analysis of which kind of out-of-band TCP attacks get filtered by the z -est and which not. I would be interested if anyone else can confirm this, since I had posted a similar mail some weeks ago and at that time still thought I had done anything wrong. But having run those tests repeatedly I think now I can be sure that this is the way things are. Hope that helps! -Detmar -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snot based attacks and the -z est option. larosa, vjay (Apr 24)
- <Possible follow-ups>
- FW: Snot based attacks and the -z est option. larosa, vjay (Apr 25)
- RE: Snot based attacks and the -z est option. counter . spy (Apr 25)
- Re: Snot based attacks and the -z est option. Chris Green (Apr 26)
- Re: Snot based attacks and the -z est option. counter . spy (Apr 26)
- Re: Snot based attacks and the -z est option. Chris Green (Apr 26)
- Re: Snot based attacks and the -z est option. Chris Green (Apr 26)
- RE: Snot based attacks and the -z est option. larosa, vjay (Apr 25)
- RE: Snot based attacks and the -z est option. larosa, vjay (Apr 26)
- Re: Snot based attacks and the -z est option. Chris Green (Apr 26)
- RE: Snot based attacks and the -z est option. larosa, vjay (Apr 26)
- RE: Snot based attacks and the -z est option. larosa, vjay (Apr 26)