Snot based attacks and the -z est option.

["larosa, vjay" <larosa_vjay () emc com>]

Hello,

Could someone set me straight here. I am confused by the snort FAQ. It
states the following about the -z est option,

Begin Quote
"There is a new command line switch that is used in concert with the stream4
code, "-z". The -z switch can take one of two arguments: "est" and "all".
The "all" argument is the default if you don't specify anything and tells
Snort to alert normally. If the -z switch is specified with the "est"
argument, Snort will only alert (for TCP traffic) on streams that have been
established via a three way handshake or streams where cooperative
bidirectional activity has been observed (i.e. where some traffic went one
way and something other than a RST or FIN was seen going back to the
originator). With "-z est" turned on, Snort completely ignores TCP-based
stick/snot "attacks". "
End Quote

So I am under the impression that wen I generate an attack using snot and
snort is running without the "-z est" option it will alert on every alarm
that is matched from the traffic being generated by snot,

but if I start snort with the -z est option on the command line,

snort -i eth0 -c /etc/conf/snort.conf -l /var/log/snort -z est

snort should ignore every single packet because there was no bi-directional
activity seen and no log one single snot based TCP event.

Is this true? Or am I confused.

Thanks!

vjl 

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users