Snort mailing list archives
Re: Portscan preprocessors dropping packets on a si mple nmap-scan
From: Erek Adams <erek () snort org>
Date: Wed, 15 Jan 2003 00:45:59 -0500 (EST)
On Tue, 14 Jan 2003, Edin Dizdarevic wrote: [...snip...]
As I already said, this is probably not a capturing problem. I have no dropped packets at all in the statistics. Capturing with tcpdump is working fine. I also captured with Snort in capture mode - no problem. :(
Ok... I'm just trying to make sure I'm on the same page: If you run Snort w/spp_portscan or portscan2 then you get dropped packets--No matter if you're coming off the wire or the pcap?
Well, I used 3Com 905C, Intel EtherExpress 100 and Realtek (SiS900) with same results. That should be a proof enough.
Ok... OS? Is the driver for the OS stable? I know I might sound like a whiner, but I'm just trying to figure things out. :)
Hm, N*A? ;).
/me whistles and looks innocent. :)
However, indeed a very interessting idea! Only find the way to buffer the stuff in the traffic peaks. A FIFO perhaps? tcpdump -n -l -i eth0 -w log.bin ; snort -r log.bin ? ;) The latency time should not be very high.
That could work, but it all depends on your net. FWIW, there is a named pipe plugin that might work for you... Have a look at that. :) /me looks around for the info on it. Drop me an email, I'll see what I can come up with on that for you. Cheers! ----- Erek Adams "When things get wierd, the wierd turn pro." H.S. Thompson ------------------------------------------------------- This SF.NET email is sponsored by: Take your first step towards giving your online business a competitive advantage. Test-drive a Thawte SSL certificate - our easy online guide will show you how. Click here to get started: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0027en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Portscan preprocessors dropping packets on a si mple nmap-scan Gonzalez, Albert (Jan 13)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Edin Dizdarevic (Jan 14)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Erek Adams (Jan 14)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Edin Dizdarevic (Jan 14)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Erek Adams (Jan 14)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Edin Dizdarevic (Jan 15)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Erek Adams (Jan 14)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Edin Dizdarevic (Jan 14)