Snort mailing list archives
Re: Snot attacks and -z est option - regarding FAQ 1.9
From: "Anton A. Chuvakin" <anton () chuvakin org>
Date: Mon, 25 Mar 2002 10:01:22 -0500 (EST)
Hello all,
Another issue is that I tried to reduce the alerts that were caused by snot by using the -z est option. That idea was based on my assumption that snot causes many fake connections, i.e. no real connections are established. This did not help, I still got most of the alerts.
Reeally? I experimented extensively some time ago with snort and snort. While I was able to load the snort box somewhat by running snot, snort's "-z" option sent the CPU load way down and drop rate to zero. ONLY alerts that were registered were ICMP and UDP. Actually, snot does not establish a connection AT ALL, thus "-z est" should ignore all TCP attacks sent my snot (and it did, in my case) Best, -- Anton A. Chuvakin, Ph.D. http://www.chuvakin.org http://www.info-secure.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snot attacks and -z est option - regarding FAQ 1.9 counter . spy (Mar 25)
- Re: Snot attacks and -z est option - regarding FAQ 1.9 Andrea Barisani (Mar 25)
- Re: Snot attacks and -z est option - regarding FAQ 1.9 Anton A. Chuvakin (Mar 25)