Snort mailing list archives
Re: Snort 1.9.0 taking 100% cpu after a (unknown) while
From: Max Valdez <max () garaged homeip net>
Date: 17 Oct 2002 18:10:44 +0000
On Thu, 2002-10-17 at 20:30, Martin Roesch wrote:
Can you show us your snort.conf file? -Marty
I used to have preprocessor asn1_decode but now i commented it... I got a reply from Mr. Kreimendahl, saying that portscan2 is the problem, i will comment it too if i see the problema again... This is my conf... grep -v ^# snort.conf: ------------------------- var EXTERNAL_NET !$HOME_NET var DNS_SERVERS $HOME_NET var SMTP_SERVERS $HOME_NET var HTTP_SERVERS $HOME_NET var SQL_SERVERS $HOME_NET var TELNET_SERVERS $HOME_NET var HTTP_PORTS 80 var SHELLCODE_PORTS !80 var ORACLE_PORTS 1521 var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] var RULE_PATH /etc/snort/rules preprocessor frag2 preprocessor stream4: detect_scans, disable_evasion_alerts preprocessor stream4_reassemble preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace preprocessor rpc_decode: 111 32771 preprocessor bo: -nobrute preprocessor telnet_decode preprocessor portscan-ignorehosts: 132.248.33.226 preprocessor arpspoof preprocessor arpspoof_detect_host: 132.248.33.1 00:C0:F0:6B:03:7F preprocessor arpspoof_detect_host: 132.248.33.2 00:E0:7D:75:68:3B preprocessor arpspoof_detect_host: 132.248.33.3 08:00:2B:C4:65:A4 preprocessor arpspoof_detect_host: 132.248.33.8 08:00:69:0B:BF:36 preprocessor arpspoof_detect_host: 132.248.33.23 00:10:5A:27:48:4F preprocessor arpspoof_detect_host: 132.248.33.69 00:04:76:CE:C9:9C preprocessor arpspoof_detect_host: 132.248.33.120 08:00:69:0E:21:EA preprocessor arpspoof_detect_host: 132.248.33.217 00:50:04:82:C0:28 preprocessor arpspoof_detect_host: 132.248.33.220 08:00:20:AE:B6:4B preprocessor arpspoof_detect_host: 132.248.33.230 00:C0:F0:6B:03:0C preprocessor arpspoof_detect_host: 132.248.33.244 00:01:02:E8:6B:28 preprocessor arpspoof_detect_host: 132.248.33.247 00:01:02:74:5E:22 preprocessor arpspoof_detect_host: 132.248.33.254 00:08:A3:2B:C9:61 preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 32000 preprocessor portscan2: scanners_max 3200, targets_max 5000, target_limit 5, port_limit 20, timeout 60 output database: log, mysql, user=snort password=snortpass dbname=snort host=132.248.33.226 include classification.config include reference.config include bad-traffic.rules include exploit.rules include scan.rules include finger.rules include ftp.rules include telnet.rules include rpc.rules include rservices.rules include dos.rules include ddos.rules include dns.rules include tftp.rules include web-cgi.rules include web-coldfusion.rules include web-iis.rules include web-frontpage.rules include web-misc.rules include web-client.rules include web-php.rules include sql.rules include x11.rules include icmp.rules include netbios.rules include misc.rules include attack-responses.rules include oracle.rules include mysql.rules include snmp.rules include smtp.rules include imap.rules include pop3.rules include nntp.rules include other-ids.rules include web-attacks.rules include backdoor.rules include virus.rules include experimental.rules include local.rules ------------------------------------------------------- This sf.net email is sponsored by: viaVerio will pay you up to $1,000 for every account that you consolidate with us. http://ad.doubleclick.net/clk;4749864;7604308;v? http://www.viaverio.com/consolidator/osdn.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 1.9.0 taking 100% cpu after a (unknown) while Max Valdez (Oct 16)
- Re: Snort 1.9.0 taking 100% cpu after a (unknown) while Chris Green (Oct 16)
- Re: Snort 1.9.0 taking 100% cpu after a (unknown) while Andrea Barisani (Oct 17)
- Re: Snort 1.9.0 taking 100% cpu after a (unknown) while Max Valdez (Oct 17)
- Re: Snort 1.9.0 taking 100% cpu after a (unknown) while Andrea Barisani (Oct 17)
- <Possible follow-ups>
- Snort 1.9.0 taking 100% cpu after a (unknown) while Max Valdez (Oct 17)
- Snort 1.9.0 taking 100% cpu after a (unknown) while Max Valdez (Oct 17)
- Re: Snort 1.9.0 taking 100% cpu after a (unknown) while Martin Roesch (Oct 17)
- Re: Snort 1.9.0 taking 100% cpu after a (unknown) while Max Valdez (Oct 17)
- Re: Snort 1.9.0 taking 100% cpu after a (unknown) while Martin Roesch (Oct 17)
- Snort 1.9.0 taking 100% cpu after a (unknown) while Max Valdez (Oct 17)
- Re: Snort 1.9.0 taking 100% cpu after a (unknown) while Chris Green (Oct 16)