[Snort-devel] FAQ update regarding -z

Jeff Nathan jeff at ...835...
Mon May 13 02:29:03 EDT 2002


Patch attached.

Yay!@

-Jeff

-- 
http://jeff.wwti.com            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein
-------------- next part --------------
--- doc/FAQ.orig	Mon May 13 02:20:38 2002
+++ doc/FAQ	Mon May 13 02:25:50 2002
@@ -768,15 +768,14 @@
    Reassembly alerts: ACTIVE
    
    There is a new command line switch that is used in concert with the
-   stream4 code, "-z".  The -z switch can take one of two arguments: "est"
-   and "all".  The "all" argument is the default if you don't specify
-   anything and tells Snort to alert normally.  If the -z switch is
-   specified with the "est" argument, Snort will only alert (for TCP
-   traffic) on streams that have been established via a three way handshake
-   or streams where cooperative bidirectional activity has been observed
-   (i.e. where some traffic went one way and something other than a RST or
-   FIN was seen going back to the originator).  With "-z est" turned on,
-   Snort completely ignores TCP-based stick/snot "attacks".
+   stream4 code.  By default, snort will alert normally and will alert
+   statelessly.  If the -z switch is specified, Snort will only alert
+   (for TCP traffic) on streams that have been established via a three
+   way handshake or streams where cooperative bidirectional activity
+   has been observed (i.e. where some traffic went one way and something
+   other than a RST or FIN was seen going back to the originator).  
+   With "-z" turned on, Snort completely ignores TCP-based stick/snot
+   "attacks".
    
 3.15 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
 Q: Where does one obtain new/modifed rules? How do you merge them in?


More information about the Snort-devel mailing list