Snort mailing list archives
Re: Portscan preprocessors dropping packets on a si mple nmap-scan
From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Wed, 15 Jan 2003 08:56:53 +0100
Hi, -> Erek Adams wrote:
On Tue, 14 Jan 2003, Edin Dizdarevic wrote: [...snip...]As I already said, this is probably not a capturing problem. I have no dropped packets at all in the statistics. Capturing with tcpdump is working fine. I also captured with Snort in capture mode - no problem. :(Ok... I'm just trying to make sure I'm on the same page: If you run Snort w/spp_portscan or portscan2 then you get dropped packets--No matter if you're coming off the wire or the pcap?
...or stream4, yes, according to Snort statistics after kiling with SIGUSR1
Well, I used 3Com 905C, Intel EtherExpress 100 and Realtek (SiS900) with same results. That should be a proof enough.Ok... OS? Is the driver for the OS stable? I know I might sound like a whiner, but I'm just trying to figure things out. :)
Linux 2.4.18/19/20, Red Hat, libcap 0.7.1, Snort 1.9.0 I had a machine that had 256M RAM, a Celeron 1500. Today I'll try a P4 with 512M. Maybe that will help.
Hm, N*A? ;)./me whistles and looks innocent. :)However, indeed a very interessting idea! Only find the way to buffer the stuff in the traffic peaks. A FIFO perhaps? tcpdump -n -l -i eth0 -w log.bin ; snort -r log.bin ? ;) The latency time should not be very high.That could work, but it all depends on your net. FWIW, there is a named pipe plugin that might work for you... Have a look at that. :)
|8-P°°° ...to find, where?
/me looks around for the info on it.
Nice...
Drop me an email, I'll see what I can come up with on that for you.
Here it is... ;)
Cheers! ----- Erek Adams "When things get wierd, the wierd turn pro." H.S. Thompson
-- Edin Dizdarevic ------------------------------------------------------- This SF.NET email is sponsored by: Take your first step towards giving your online business a competitive advantage. Test-drive a Thawte SSL certificate - our easy online guide will show you how. Click here to get started: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0027en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Portscan preprocessors dropping packets on a si mple nmap-scan Gonzalez, Albert (Jan 13)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Edin Dizdarevic (Jan 14)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Erek Adams (Jan 14)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Edin Dizdarevic (Jan 14)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Erek Adams (Jan 14)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Edin Dizdarevic (Jan 15)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Erek Adams (Jan 14)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Edin Dizdarevic (Jan 14)