Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: portscan preprocessor in 1.8p1

From: "Neal Timm" <ntimm () satx rr com>
Date: Fri, 27 Jul 2001 15:13:22 -0500
I have been running the latest version of snort for about 2 weeks now wiht
no problems at all.  I modified the spec file and haven't had any problems
once I got it to compile correctly.

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Andreas
Steinmetz
Sent: Friday, July 27, 2001 12:22 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] portscan preprocessor in 1.8p1


Snort version: 1.8p1

snort.conf:

preprocessor portscan-ignorehosts: a.b.c.1/32 a.b.c.11/32

portscan.log:

Jul 27 00:51:38 a.b.c.11:25 -> x.y.z.132:8286 FIN *2*****F


Didn't happen with 1.7, I wonder. I don't even know if I should believe
these
kind of log entries due to the variety of problems I'm having with 1.8p1.

BTW: At least one preprocessor of 1.8p1 has a memory leak. I guess for tcp
defragmentation/reassemby as the internal sensors show a very small leak
rate
compared to the external sensor). At least one preprocessor of 1.8p1 causes
snort to crash sometimes (snort did crash about twice a day until I did set
up
core dumping. Since then just one more crash - Murphy).

Unfortunately I don't have the resources available to run different snort
versions on my sensor system (memory/cpu for 8 instead of 4 sensor
processes).
I'm slowly but steadily feeling inclined to revert to 1.7...


Andreas Steinmetz
D.O.M. Datenverarbeitung GmbH

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: