[Snort-devel] Config Stateful Issue

Milani Paolo Paolo.Milani at ...866...
Wed Feb 15 00:20:02 EST 2006

Hi Joel,

I think your observations are correct, but your understanding of what the -z switch is supposed to do is not. From the snort manual (html version currently on snort.org):

"Stream4 introduces a new command line switch: -z. On TCP traffic, if the -z switch is specified, Snort will only alert on streams that have been established via a three way handshake or streams where cooperative bidirectional activity has been observed (i.e., where some traffic went one way and something other than a RST or FIN was seen going back to the originator)."

So yes, it will alert on streams where 3-way handshake did not happen, but only if packets were seen coming both ways. This should really be enough to protect against stick/snot DOS attacks, so I think config stateful serves it's intended purpose.

Paolo Milani

Gruppo Telecom Italia - Direzione e coordinamento di Telecom Italia S.p.A.

This message and its attachments are addressed solely to the persons
above and may contain confidential information. If you have received
the message in error, be informed that any use of the content hereof
is prohibited. Please return it immediately to the sender and delete
the message. Should you have any questions, please send an e_mail to
MailAdmin at ...2137... Thank you

More information about the Snort-devel mailing list