Snort mailing list archives
Re: Portscan preprocessors dropping packets on a si mple nmap-scan
From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Tue, 14 Jan 2003 13:11:13 +0100
Hi, Gonzalez, Albert wrote:
It all depends on *how* your logging. If your monitoring fast pipes (ie: t1 and up) you should try tcpdump format (-b or output log_tcpdump[1]) or even better unified.
I'm doing that - no better results
If you log to binary, then you can run it back through snort with an automated script
ACK, or Barnyard
etc... but with a full logging, that isn't very bright with fast pipes.
There are no reliable statements on how fast the network is allowed to be.According to my information, libpcap is able to capture about 700Mbit/s, so that should not be a capturing problem. I already
suspected that, since it was no problem to capture 40000 packets in 2 seconds with tcpdump. So, it must be a processing problem. But which preprocessor can handle so much traffic? It should be the possible, to mask an attack with a simple nmap scan. Isn't that quite easy to achieve? Regards, Edin_
Cheers! [1] - http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5.6 PS:> This is well documented in the FAQ. You shouldn't log to full (im assuming here) whenyou're seeing alot of traffic.--- Alberto Gonzalez EDS - Global Security Operations Center Security and Privacy Professional Servics -----Original Message----- From: Ashley Thomas [mailto:athomas () cc gatech edu] Sent: Monday, January 13, 2003 2:12 PM To: edin.dizdarevic () interActive-Systems de Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Portscan preprocessors dropping packets on a simple nmap-scan Are you referring to the packet drops reported by snort ? IMHO, there might be a lot of logging being done, since you are using nmap to generate a lot of alert causing packets; and excessive logging will surely overload any IDS. (When you disable portscan preprocessor, those alerts are not generated, thereby not loading the IDS) How are you running snort ? (what are the options used ? ) -Ashley Edin Dizdarevic wrote:Hello, I have a strange situation here: I'm making some tests on a net with heavy load. I run simple nmap X/F/N-scans having always some packets dropped. I've tried 3 different NICs (Intel/3Com and SIS900(Realtek)) and the problem remained. No matter which portscan-preprocessor I use, some packets are dropped. Is that normal? After deactivating all portscan detection everything is fine. Any docs covering that? Regards, Edin
-- Edin Dizdarevic ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Portscan preprocessors dropping packets on a si mple nmap-scan Gonzalez, Albert (Jan 13)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Edin Dizdarevic (Jan 14)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Erek Adams (Jan 14)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Edin Dizdarevic (Jan 14)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Erek Adams (Jan 14)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Edin Dizdarevic (Jan 15)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Erek Adams (Jan 14)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Edin Dizdarevic (Jan 14)