Re: Snort 1.8.7 with -z est|all switch fails to start

[Erek Adams <erek () theadamsfamily net>]

On Fri, 12 Jul 2002, Dushyanth Harinath wrote:

> Just downloaded and compiled Snort 1.8.7 on my slackware 8.0 machine
> (Intel arch) with the options (--with-mysql --with-openssl --enable-debug).
> Starting snort with -z switch quits with the error given below. It works
> without the -z switch.
[...snip...]
Actually, it's changed from how it was in version 1.8.6:

> From the manpage:

     -z   The -z switch is  used  in  concert  with  the  stream4
          preprocessor  code.   It  takes  advantage of stream4's
          stateful inspection capabilities to reduce  the  amount
          of  spoofing  that  may  be  done  against  Snort.   By
          default, snort doesn't worry about the TCP state  of  a
          packet  when  it's  about  to  issue  an alert.  The -z
          switch tells Snort to only allow alerts to be generated
          for  packets that are part of a known, established ses-
          sion.  This allows Snort to greatly reduce  the  effect
          of anti-NIDS tools like stick and snot.

So if you are using '-z est' then you should just change it to '-z', since
snort now defaults to established mode when the switch is present.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Gadgets, caffeine, t-shirts, fun stuff.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users