[Snort-devel] snort stateful inspection testing

Andrea Barisani lcars at ...360...
Sun Mar 17 04:40:05 EST 2002

On Sat, Mar 16, 2002 at 10:53:03AM -0500, Michael Scheidell wrote:
> > 
> > Now without the '-z' options the alert is obviously triggered but 
> > with -z est the alert is triggered only the first time I simulate
> > the connection! The second time, with different random sequence 
> > numbers, snort is silent, and so on until I restart the process.
> if memory serves me, the -zest option is supposed to block a DOS attack
> (caused by multiple spoofed ip connections)
> so, -zest worked?
> you forged a tcp connection, and snort only alerted on the first one?
> > "You must be,'said the Cat,'or you wouldn't have come here."

No, the -z flag tells snort to inspect only packets that are part of an
established session. My spoofed connection looks like a real one, the -z est
switch make snort ignoring packets like a unmatched PSH,ACK (wich is common
if you're using tools like stick or snot). This is my understanding of the
option, am I right?


INFIS Network Administrator & Security Officer         .*. 
Department of Physics       - University of Trieste    /V\
lcars at ...360... - PGP Key 0x8E21FE82      (/ \)
----------------------------------------------------  (   )
"How would you know I'm mad?" said Alice.             ^^-^^
"You must be,'said the Cat,'or you wouldn't have come here."

More information about the Snort-devel mailing list