Snort mailing list archives
Re: Portscan preprocessors dropping packets on a si mple nmap-scan
From: Erek Adams <erek () snort org>
Date: Tue, 14 Jan 2003 09:09:51 -0500 (EST)
On Tue, 14 Jan 2003, Edin Dizdarevic wrote: [...snip...]
There are no reliable statements on how fast the network is allowed to be.
heh... Tell me about it. :)
According to my information, libpcap is able to capture about 700Mbit/s, so that should not be a capturing problem. I already suspected that, since it was no problem to capture 40000 packets in 2 seconds with tcpdump.
Here's something that would be an interesting test case: Use netstat -i to get your in/out packets and errors for the interface in question. Then start snort in one window, and at the same time start tcpdump in another window--Be sure and log to a pcap file for both. After 5 or 10 seconds, stop both. Again check netstat -i and get your numbers. Check the numbers that netstat reports vs. snort vs. tcpdump. There have been cases where it's not code, but hardware. Do you have a 'good' nic? How's the driver for it?
So, it must be a processing problem. But which preprocessor can handle so much traffic? It should be the possible, to mask an attack with a simple nmap scan. Isn't that quite easy to achieve?
Well, some folks that I know of with fat pipes (multi DS3s) don't run _any_ processors. They simply log to disk, and then post process with another .conf for processors. That may not work for you, but it might be something to consider. Hope that helps! ----- Erek Adams "When things get weird, the wierd turn pro." H.S. Thompson ------------------------------------------------------- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Portscan preprocessors dropping packets on a si mple nmap-scan Gonzalez, Albert (Jan 13)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Edin Dizdarevic (Jan 14)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Erek Adams (Jan 14)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Edin Dizdarevic (Jan 14)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Erek Adams (Jan 14)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Edin Dizdarevic (Jan 15)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Erek Adams (Jan 14)
- Re: Portscan preprocessors dropping packets on a si mple nmap-scan Edin Dizdarevic (Jan 14)