No subject

Thu Nov 23 16:36:19 EST 2017

     -z   The -z switch is  used  in  concert  with  the  stream4
          preprocessor  code.   It  takes  advantage of stream4's
          stateful inspection capabilities to reduce  the  amount
          of  spoofing  that  may  be  done  against  Snort.   By
          default, snort doesn't worry about the TCP state  of  a
          packet  when  it's  about  to  issue  an alert.  The -z
          switch tells Snort to only allow alerts to be generated
          for  packets that are part of a known, established ses-
          sion.  This allows Snort to greatly reduce  the  effect
          of anti-NIDS tools like stick and snot.

So if you are using '-z est' then you should just change it to '-z', since
snort now defaults to established mode when the switch is present.


Erek Adams

More information about the Snort-users mailing list