Snort mailing list archives
Snort inline kills scans (but why?)
From: pieter claassen <pieter () openauth co uk>
Date: 28 Mar 2003 10:54:02 +0000
Hello, I have been testing Snort inline in the following setup 1. Binary supplied by Honeynet 2. Iptables configuration to pass all forward traffic to snort-inline (forward default policy drop) 3. Default honeynet drop rules. I am testing with nessus and find the following: 1. When I switch snortinline on, all port scans slow down dramatically. The inline machine shows no load and little mem usages, so I cannot understand why this should happen. 2. If I disable all the pre-processors, then snort-inline picks up virtually nothing. So, here are my questions: 1. Is there any more information about what the pre-processors do? 2. Does anybody have an idea why the port scans slow down so dramatically when I switch snort-inline on? Thanks, Pieter -- ----------------------------- Pieter Claassen pieter () openauth co uk http://www.openauth.co.uk OpenAuth Tel: 01344 390530 DDI: 01344 390630/390631 Fax number: 01344 390700 Mobile: 0776 665 6924 Highview House Charles Square Bracknell Berkshire RG12 1DF TERMS AND CONDITIONS (i)The information contained in this email and attachments is only intended for the addressed recipient(s) and may not be distributed or viewed by any other party without the explicit consent of the sender. If you have received this message by accident, please contact Pieter Claassen (pieter () openauth co uk) and destroy any electronic or physical copies of the information contained in it, immediately. (ii)This email is not certified to be virus free and OpenAuth accepts no liability for losses arising from you receiving this email. (iii)Any digital signatures (if present) used to authenticate this email, only serves to allow you to verify the originating email address of the sender and should not be relied upon to prove identity or base financial transactions on, unless the Certificate Practice Statement that the signature references, explicitly states differently. (iv)This email may be subjected to further terms and conditions as published on the company website at http://www.openauth.co.uk. If you need to rely on the information contained in this email in any way, then you should read those terms and conditions to understand how much you can trust the information in this email. (v)OpenAuth retains the copyright on any relevant material that is included in this email. ------------------------------------------------------- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort inline kills scans (but why?) pieter claassen (Mar 28)