Snort mailing list archives
RE: Portscan preprocessors dropping packets on a si mple nmap-scan
From: "Gonzalez, Albert" <albert.gonzalez () eds com>
Date: Mon, 13 Jan 2003 15:00:28 -0500
It all depends on *how* your logging. If your monitoring fast pipes (ie: t1 and up) you should try tcpdump format (-b or output log_tcpdump[1]) or even better unified. If you log to binary, then you can run it back through snort with an automated script etc... but with a full logging, that isn't very bright with fast pipes. Cheers! [1] - http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5.6 PS:> This is well documented in the FAQ. You shouldn't log to full (im assuming here) when you're seeing alot of traffic. --- Alberto Gonzalez EDS - Global Security Operations Center Security and Privacy Professional Servics -----Original Message----- From: Ashley Thomas [mailto:athomas () cc gatech edu] Sent: Monday, January 13, 2003 2:12 PM To: edin.dizdarevic () interActive-Systems de Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Portscan preprocessors dropping packets on a simple nmap-scan Are you referring to the packet drops reported by snort ? IMHO, there might be a lot of logging being done, since you are using nmap to generate a lot of alert causing packets; and excessive logging will surely overload any IDS. (When you disable portscan preprocessor, those alerts are not generated, thereby not loading the IDS) How are you running snort ? (what are the options used ? ) -Ashley Edin Dizdarevic wrote:
Hello, I have a strange situation here: I'm making some tests on a net with heavy load. I run simple nmap X/F/N-scans having always some packets dropped. I've tried 3 different NICs (Intel/3Com and SIS900(Realtek)) and the problem remained. No matter which portscan-preprocessor I use, some packets are dropped. Is that normal? After deactivating all portscan detection everything is fine. Any docs covering that? Regards, Edin
-- Ashley Thomas Research scientist College of Computing Georgia Tech. ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Portscan preprocessors dropping packets on a si mple nmap-scan Gonzalez, Albert (Jan 13)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Edin Dizdarevic (Jan 14)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Erek Adams (Jan 14)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Edin Dizdarevic (Jan 14)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Erek Adams (Jan 14)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Edin Dizdarevic (Jan 15)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Erek Adams (Jan 14)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Edin Dizdarevic (Jan 14)