Thu Nov 23 16:36:19 EST 2017
-z The -z switch is used in concert with the stream4
preprocessor code. It takes advantage of stream4's
stateful inspection capabilities to reduce the amount
of spoofing that may be done against Snort. By
default, snort doesn't worry about the TCP state of a
packet when it's about to issue an alert. The -z
switch tells Snort to only allow alerts to be generated
for packets that are part of a known, established ses-
sion. This allows Snort to greatly reduce the effect
of anti-NIDS tools like stick and snot.
So if you are using '-z est' then you should just change it to '-z', since
snort now defaults to established mode when the switch is present.
More information about the Snort-users