[Snort-users] Snot attacks and -z est option - regarding FAQ 1.9

Andrea Barisani lcars at ...96...
Mon Mar 25 06:24:16 EST 2002


On Mon, Mar 25, 2002 at 02:44:30PM +0100, counter.spy at ...348... wrote:
> Another question:
> I have performed some testing with snot-0.92a attacks against snort during
> the last few weeks.
> Another issue is that I tried to reduce the alerts that were caused by snot
> by using the
> -z est option. That idea was based on my assumption that snot causes many
> fake connections, i.e. no real connections are established. This did not help,
> I still got most of the alerts. 

I've done some testing too with my 'Firewall Tester' and I've found that with
the -z est option snort never issue an alert on unrelated packets, maybe the
alerts you are seeing are generated by SYN packets and not ACK+ ones. 


INFIS Network Administrator & Security Officer         .*. 
Department of Physics       - University of Trieste    /V\
lcars at ...96... - PGP Key 0x8E21FE82      (/ \)
----------------------------------------------------  (   )
"How would you know I'm mad?" said Alice.             ^^-^^
"You must be,'said the Cat,'or you wouldn't have come here."

More information about the Snort-users mailing list