Snort mailing list archives
Re: porno rules
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 29 Apr 2003 17:29:44 -0400
At 04:07 PM 4/29/2003 -0500, Neil Dickey wrote:
Matt Kettler <mkettler () evi-inc com> wrote: >It's also inadvisable to use portscan2 and conversation preprocessors.. >those are disabled by default in snort 2.0's conf. I haven't seen that before. Why is it not advisable to use them? Just curious ....
In general, it has absurdly high memory and cpu usage, and has a lot of false-positive prone conditions.
I've only heard of one person who gets decent results with it (I think that's Erek) and that person admits their network is "not typical".
My results are that:- I'm on low end hardware, but enabling spp_conversation and spp_portscan2 gives me 10% packet loss, instead of less than 0.1%.
- spp_conversation and portscan2 will triple the memory requirements of snort 1.9.1, not sure about 2.x as it's general memory needs went up.
- Any time a client connects out to an external web page containing a large number of images, spp_portscan2 sees all the connection opens as a "syn ack scan". Despite the fact that it was originated as a syn from my network. Portscan2_ignorehosts doesn't help, as it thinks the outside server is the source of the attack.
So based on an absurd FP rate, a heavy memory load, high packet losses, and having heard the same "syn ack scan" complaint repeatedly on the list, I've summarily decided that portscan2 is broken. The fact that it's disabled by default in 2.0 would seem to indicate that the snort devs realize it currently has issues.
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- porno rules Bryan Irvine (Apr 29)
- Re: porno rules Matt Kettler (Apr 29)
- Re: porno rules Bryan Irvine (Apr 29)
- Broken config directive? or just me? Sam Evans (Apr 29)
- Re: Broken config directive? or just me? Matt Kettler (Apr 29)
- Re: Broken config directive? or just me? Chris Green (Apr 30)
- Re: porno rules Bryan Irvine (Apr 29)
- Re: porno rules Matt Kettler (Apr 29)
- Re: porno rules Matt Kettler (Apr 29)
- <Possible follow-ups>
- Re: porno rules Neil Dickey (Apr 29)
- Re: porno rules Matt Kettler (Apr 29)