Snort mailing list archives

Re: Portscan preprocessors dropping packets on a si mple nmap-scan

From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Tue, 14 Jan 2003 13:11:13 +0100


Hi,

Gonzalez, Albert wrote:

It all depends on *how* your logging. If your monitoring fast pipes (ie: t1
and up)
you should try tcpdump format (-b or output log_tcpdump[1]) or even better
unified.


I'm doing that - no better results

If you log to binary, then you can run it back through snort with an
automated script

ACK, or Barnyard

etc... but with a full logging, that isn't very bright with fast pipes.


There are no reliable statements on how fast the network is allowed to
be.

According to my information, libpcap is able to capture about700Mbit/s, so that should not be a capturing problem. I already

suspected that, since it was no problem to capture 40000 packets
in 2 seconds with tcpdump. So, it must be a processing problem.
But which preprocessor can handle so much traffic? It should be the
possible, to mask an attack with a simple nmap scan. Isn't that
quite easy to achieve?

Regards,

Edin_


Cheers!

[1] - http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5.6

PS:> This is well documented in the FAQ. You shouldn't log to full (im
assuming here) when

you're seeing alot of traffic.

---
Alberto Gonzalez
EDS - Global Security Operations Center
Security and Privacy Professional Servics



-----Original Message-----
From: Ashley Thomas [mailto:athomas () cc gatech edu]
Sent: Monday, January 13, 2003 2:12 PM
To: edin.dizdarevic () interActive-Systems de
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Portscan preprocessors dropping packets on a
simple nmap-scan


Are you referring to the packet drops reported by snort ?

IMHO, there might be a lot of logging being done, since you are using
nmap to generate a lot of alert causing packets; and excessive logging will
surely overload any IDS. (When you disable portscan preprocessor,
those alerts are not generated, thereby not loading the IDS)

How are you running snort ? (what are the options used ? )

-Ashley

Edin Dizdarevic wrote:

Hello,

I have a strange situation here: I'm making some tests on a net
with heavy load. I run simple nmap X/F/N-scans having always some
packets dropped. I've tried 3 different NICs (Intel/3Com and
SIS900(Realtek)) and the problem remained. No matter which
portscan-preprocessor I use, some packets are dropped. Is that normal?
After deactivating all portscan detection everything is fine. Any docs
covering that?

Regards,

Edin


--
Edin Dizdarevic



-------------------------------------------------------
This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your  SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: Portscan preprocessors dropping packets on a si mple nmap-scan Gonzalez, Albert (Jan 13)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Edin Dizdarevic (Jan 14)
  - Re: Portscan preprocessors dropping packets on a si mple nmap-scan Erek Adams (Jan 14)
    - Re: Portscan preprocessors dropping packets on a si mple nmap-scan Edin Dizdarevic (Jan 14)
    - Re: Portscan preprocessors dropping packets on a si mple nmap-scan Erek Adams (Jan 14)
    - Re: Portscan preprocessors dropping packets on a si mple nmap-scan Edin Dizdarevic (Jan 15)