Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort inline kills scans (but why?)

From: pieter claassen <pieter () openauth co uk>
Date: 28 Mar 2003 10:54:02 +0000
Hello,

I have been testing Snort inline in the following setup

1. Binary supplied by Honeynet
2. Iptables configuration to pass all forward traffic to snort-inline
(forward default policy drop)
3. Default honeynet drop rules.


I am testing with nessus and find the following:
1. When I switch snortinline on, all port scans slow down dramatically.
The inline machine shows no load and little mem usages, so I cannot
understand why this should happen.
2. If I disable all the pre-processors, then snort-inline picks up
virtually nothing.

So, here are my questions:
1. Is there any more information about what the pre-processors do?
2. Does anybody have an idea why the port scans slow down so
dramatically when I switch snort-inline on?

Thanks,
Pieter
-- 
-----------------------------
Pieter Claassen
pieter () openauth co uk
http://www.openauth.co.uk

OpenAuth
Tel: 01344 390530
DDI: 01344 390630/390631
Fax number: 01344 390700
Mobile:  0776 665 6924

Highview House
Charles Square
Bracknell
Berkshire
RG12 1DF

TERMS AND CONDITIONS
(i)The information contained in this email and attachments is only
intended for the addressed recipient(s) and may not be distributed or
viewed by any other party without the explicit consent of the sender. If
you have received this message by accident, please contact Pieter
Claassen (pieter () openauth co uk) and destroy any electronic or physical
copies of the information contained in it, immediately.
(ii)This email is not certified to be virus free and OpenAuth accepts no
liability for losses arising from you receiving this email.
(iii)Any digital signatures (if present) used to authenticate this
email, only serves to allow you to verify the originating email address
of the sender and should not be relied upon to prove identity or base
financial transactions on, unless the Certificate Practice Statement
that the signature references, explicitly states differently.
(iv)This email may be subjected to further terms and conditions as
published on the company website at http://www.openauth.co.uk. If you
need to rely on the information contained in this email in any way, then
you should read those terms and conditions to understand how much you
can trust the information in this email.
(v)OpenAuth retains the copyright on any relevant material that is
included in this email.



-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: