portscan preprocessor in 1.8p1

[Andreas Steinmetz <ast () domdv de>]

Snort version: 1.8p1

snort.conf:

preprocessor portscan-ignorehosts: a.b.c.1/32 a.b.c.11/32

portscan.log:

Jul 27 00:51:38 a.b.c.11:25 -> x.y.z.132:8286 FIN *2*****F


Didn't happen with 1.7, I wonder. I don't even know if I should believe these
kind of log entries due to the variety of problems I'm having with 1.8p1.

BTW: At least one preprocessor of 1.8p1 has a memory leak. I guess for tcp
defragmentation/reassemby as the internal sensors show a very small leak rate
compared to the external sensor). At least one preprocessor of 1.8p1 causes
snort to crash sometimes (snort did crash about twice a day until I did set up
core dumping. Since then just one more crash - Murphy).

Unfortunately I don't have the resources available to run different snort
versions on my sensor system (memory/cpu for 8 instead of 4 sensor processes).
I'm slowly but steadily feeling inclined to revert to 1.7...


Andreas Steinmetz
D.O.M. Datenverarbeitung GmbH

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users