Re: [Snort-devel] snort stateful inspection testing

[Andrea Barisani <lcars () infis univ trieste it>]

On Sat, Mar 16, 2002 at 10:53:03AM -0500, Michael Scheidell wrote:
> > Now without the '-z' options the alert is obviously triggered but 
> > with -z est the alert is triggered only the first time I simulate
> > the connection! The second time, with different random sequence 
> > numbers, snort is silent, and so on until I restart the process.
>
> if memory serves me, the -zest option is supposed to block a DOS attack
> (caused by multiple spoofed ip connections)
>
> so, -zest worked?
> you forged a tcp connection, and snort only alerted on the first one?
>
> > "You must be,'said the Cat,'or you wouldn't have come here."

No, the -z flag tells snort to inspect only packets that are part of an
established session. My spoofed connection looks like a real one, the -z est
switch make snort ignoring packets like a unmatched PSH,ACK (wich is common
if you're using tools like stick or snot). This is my understanding of the
option, am I right?

Bye

------------------------------------------------------------
INFIS Network Administrator & Security Officer         .*. 
Department of Physics       - University of Trieste    /V\
lcars () infis univ trieste it - PGP Key 0x8E21FE82      (/ \)
----------------------------------------------------  (   )
"How would you know I'm mad?" said Alice.             ^^-^^
"You must be,'said the Cat,'or you wouldn't have come here."
------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users