Speed & pacing of portscan log?

[Jesus Couto <jesus.couto () satec es>]

Hi,

I'm testing some ways to get the portscan log translated to our central 
console in "real time",
and found some weird things with the speed & pacing of the portscan 
preprocessor log.

For example, configuring snort with HOME_NET pointing to a single host, 
and scanning
that host with nmap, I have found that the slower the scan is, the 
"faster" the logging!
If I scan at the normal speed, the portscan log shows nothing, and keeps 
showing nothing
till I do another scan, or a different kind of scan (a FIN scan, say). 
If I scan at -T Polite (.4 seconds between probes), I get a constant 
stream of packets to the log, and its just the last few packets that 
are  forever in the twilight zone unless I do another scan.

Configuration is: snort 1.8.1-RELEASE with the latest ruleset, portscan 
module configured
as:

preprocessor portscan: $HOME_NET 4 6 portscan.log

and output to MySQL database. All running on a RedHat 7.1 machine.

Any idea what I'm doing wrong? Or its is to be expected?

Jesús Couto F.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users