Somewhere in the back of my mind, I remember a change in the -z switch
to snort.
I also seem to remember it being replaced by a snort.conf option.
If this is so, could the FAQ and documentation maintainer make changes?
Example:
http://www.snort.org/docs/faq/1Q05/node47.html#stream4
There is a new command line switch that is used in concert with the
stream4 code, ``-z''. The -z switch can take one of two arguments:
``est'' and ``all''. The ``all'' argument is the default if you don't
specify anything and tells Snort to alert normally. If the -z switch is
specified with the ``est'' argument, Snort will only alert (for TCP
traffic) on streams that have been established via a three way handshake
or streams where cooperative bidirectional activity has been observed
(i.e. where some traffic went one way and something other than a RST or
FIN was seen going back to the originator). With ``-z est'' turned on,
Snort completely ignores TCP-based stick/snot ``attacks''.
-z est doesn't work as of snort ver (2.3?)
-z all doesn't work as of snort ver 2.3
Documentation says using -z user default (all) not true?
Correct option should be -z enables est mode.
--
Michael Scheidell, CTO
561-999-5000, ext 1131
SECNAP Network Security Corporation
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id�865&opÌk
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
