[Snort-devel] snort stateful inspection testing

Gangadhar NPK npkg at ...1093...
Sun Mar 17 21:39:02 EST 2002


> This is what the snort host see:
>
> 15:59:30.573688 10.1.7.1.1025 > 192.168.0.1.80: S [tcp sum ok]
> 11020:11028(8) win 65535 (DF) (ttl 200, id 1, len 48) 15:59:30.585081
> 192.168.0.1.80 > 10.1.7.1.1025: S [tcp sum ok] 12044:12044(0) ack 11021
> win 65535 (DF) [tos 0x10]  (ttl 3, id 1, len 40) 15:59:31.611747
> 10.1.7.1.1025 > 192.168.0.1.80: . [tcp sum ok] ack 12045 win 65535 (DF)
> (ttl 200, id 2, len 40) 15:59:31.635338 10.1.7.1.1025 > 192.168.0.1.80:
> P [tcp sum ok] 11029:11036(7) ack 12045 win 65535 (DF) (ttl 200, id 3,
> len 47)
>

  There seems nothing wrong with the way the packet traffic .

> Now without the '-z' options the alert is obviously triggered but  with
> -z est the alert is triggered only the first time I simulate
> the connection! The second time, with different random sequence
> numbers, snort is silent, and so on until I restart the process.

the -z est option works on established connections..so thats the reason,
probably is that once the connection is established snort is not lookin at
the packets.correct me if i am wrong

regards
gangadhar
-- 
Software is like sex; its better when its free
                                       - Linus



-----------------------------------------
This email was sent using SquirrelMail.
   "Webmail for nuts!"
http://squirrelmail.org/






More information about the Snort-devel mailing list