Re: Snort 1.9.0 taking 100% cpu after a (unknown) while

[Max Valdez <max () garaged homeip net>]

On Thu, 2002-10-17 at 20:30, Martin Roesch wrote:
> Can you show us your snort.conf file?
>
>       -Marty

I used to have 
preprocessor asn1_decode

but now i commented it...

I got a reply from Mr. Kreimendahl, saying that portscan2 is the
problem, i will comment it too if i see the problema again...

This is my conf...

grep -v ^# snort.conf:
-------------------------

var EXTERNAL_NET !$HOME_NET


var DNS_SERVERS $HOME_NET

var SMTP_SERVERS $HOME_NET

var HTTP_SERVERS $HOME_NET

var SQL_SERVERS $HOME_NET

var TELNET_SERVERS $HOME_NET


var HTTP_PORTS 80

var SHELLCODE_PORTS !80

var ORACLE_PORTS 1521

var AIM_SERVERS
[64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]

var RULE_PATH /etc/snort/rules




preprocessor frag2



preprocessor stream4: detect_scans, disable_evasion_alerts


preprocessor stream4_reassemble


preprocessor http_decode: 80 unicode iis_alt_unicode double_encode
iis_flip_slash full_whitespace


preprocessor rpc_decode: 111 32771


preprocessor bo: -nobrute


preprocessor telnet_decode



preprocessor portscan-ignorehosts: 132.248.33.226


preprocessor arpspoof

preprocessor arpspoof_detect_host: 132.248.33.1 00:C0:F0:6B:03:7F
preprocessor arpspoof_detect_host: 132.248.33.2 00:E0:7D:75:68:3B
preprocessor arpspoof_detect_host: 132.248.33.3 08:00:2B:C4:65:A4
preprocessor arpspoof_detect_host: 132.248.33.8 08:00:69:0B:BF:36
preprocessor arpspoof_detect_host: 132.248.33.23 00:10:5A:27:48:4F
preprocessor arpspoof_detect_host: 132.248.33.69 00:04:76:CE:C9:9C
preprocessor arpspoof_detect_host: 132.248.33.120 08:00:69:0E:21:EA
preprocessor arpspoof_detect_host: 132.248.33.217 00:50:04:82:C0:28
preprocessor arpspoof_detect_host: 132.248.33.220 08:00:20:AE:B6:4B
preprocessor arpspoof_detect_host: 132.248.33.230 00:C0:F0:6B:03:0C
preprocessor arpspoof_detect_host: 132.248.33.244 00:01:02:E8:6B:28
preprocessor arpspoof_detect_host: 132.248.33.247 00:01:02:74:5E:22
preprocessor arpspoof_detect_host: 132.248.33.254 00:08:A3:2B:C9:61






preprocessor conversation: allowed_ip_protocols all, timeout 60,
max_conversations 32000


preprocessor portscan2: scanners_max 3200, targets_max 5000,
target_limit 5, port_limit 20, timeout 60




 output database: log, mysql, user=snort password=snortpass dbname=snort
host=132.248.33.226







include classification.config


include reference.config


include bad-traffic.rules
include exploit.rules
include scan.rules
include finger.rules
include ftp.rules
include telnet.rules
include rpc.rules
include rservices.rules
include dos.rules
include ddos.rules
include dns.rules
include tftp.rules

include web-cgi.rules
include web-coldfusion.rules
include web-iis.rules
include web-frontpage.rules
include web-misc.rules
include web-client.rules
include web-php.rules

include sql.rules
include x11.rules
include icmp.rules
include netbios.rules
include misc.rules
include attack-responses.rules
include oracle.rules
include mysql.rules
include snmp.rules

include smtp.rules
include imap.rules
include pop3.rules

include nntp.rules
include other-ids.rules
 include web-attacks.rules
 include backdoor.rules
include virus.rules
include experimental.rules
include local.rules



-------------------------------------------------------
This sf.net email is sponsored by: viaVerio will pay you up to
$1,000 for every account that you consolidate with us.
http://ad.doubleclick.net/clk;4749864;7604308;v?
http://www.viaverio.com/consolidator/osdn.cfm
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users