Snort mailing list archives
Re: Portscan preprocessors dropping packets on a simple nmap-scan
From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Mon, 13 Jan 2003 20:34:42 +0100
Hi and thanks for the fast answer. -> Ashley Thomas wrote:
Are you referring to the packet drops reported by snort ?
Yes
IMHO, there might be a lot of logging being done, since you are using nmap to generate a lot of alert causing packets; and excessive logging willsurely overload any IDS.
:( > (When you disable portscan preprocessor,
those alerts are not generated, thereby not loading the IDS)
Yes, that's clear. However, I would not expect that with about 3000 packets there are 10% packets dropped.
How are you running snort ? (what are the options used ? )
- var $HOME_NET 192.168.25.0/24 - Logging in unified format alerts and logs - checksum_mode none - Order pass info alert log activation dynamic - Preprocessor portscan (!) only I tried also the combination stream4/conversation with slightly better results. :( Command line: snort -I -D -z -c snort.conf_eth0 -i eth0 -u snort -g snort
-Ashley Edin Dizdarevic wrote:Hello, I have a strange situation here: I'm making some tests on a net with heavy load. I run simple nmap X/F/N-scans having always some packets dropped. I've tried 3 different NICs (Intel/3Com and SIS900(Realtek)) and the problem remained. No matter which portscan-preprocessor I use, some packets are dropped. Is that normal? After deactivating all portscan detection everything is fine. Any docs covering that? Regards, Edin
Regards, Edin_ -- Edin Dizdarevic ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscan preprocessors dropping packets on a simple nmap-scan Edin Dizdarevic (Jan 13)
- Re: Portscan preprocessors dropping packets on a simple nmap-scan Ashley Thomas (Jan 13)
- Re: Portscan preprocessors dropping packets on a simple nmap-scan Edin Dizdarevic (Jan 13)
- Re: Portscan preprocessors dropping packets on a simple nmap-scan Ashley Thomas (Jan 13)