Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: porno rules -- portscan2 &c

From: Neil Dickey <neil () geol niu edu>
Date: Tue, 29 Apr 2003 16:47:10 -0500 (CDT)

Matt Kettler <mkettler () evi-inc com> wrote in response to me:


I've only heard of one person who gets decent results with it (I think 
that's Erek) and that person admits their network is "not typical".


Hmmm.  Maybe there's two of us now ....  ;-)


        - I'm on low end hardware, but enabling spp_conversation and 
spp_portscan2 gives me 10% packet loss, instead of  less than 0.1%.


I'm using a Sparc5 with Solaris2.7 and ~200 megs of RAM.  It's not high-
end by any means.  ;-)

These are my stats for the last 24 hours:

 ===============================================================================
Snort analyzed 34234527 out of 34234527 packets, 
dropping 0(0.000%) packets
Breakdown by protocol:                Action Stats:
    TCP: 32566819   (95.129%)         ALERTS: 862       
    UDP: 1029519    (3.007%)          LOGGED: 816       
   ICMP: 13837      (0.040%)          PASSED: 9231      
    ARP: 35819      (0.105%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 258        (0.001%)
  OTHER: 575986     (1.682%)
DISCARD: 0          (0.000%)
 ========================================================================


        - spp_conversation and portscan2 will triple the memory 
requirements of snort 1.9.1, not sure about 2.x as it's general memory 
needs went up.


I'm using 2.0.0 -- maybe it's better behaved.


        - Any time a client connects out to an external web page 
containing a large number of images, spp_portscan2 sees all the connection 
opens as a "syn ack scan". Despite the fact that it was originated as a syn 
from my network. Portscan2_ignorehosts doesn't help, as it thinks the 
outside server is the source of the attack.


I've gotten a few false positives, but not very many and their footprints
are small in the logs.

I certainly see why you hold your opinion, and you have reason to hold it,
but so far my experience has been different from yours.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: