Re: porno rules

[Matt Kettler <mkettler () evi-inc com>]

At 04:07 PM 4/29/2003 -0500, Neil Dickey wrote:

> Matt Kettler <mkettler () evi-inc com> wrote:
>
> >It's also inadvisable to use portscan2 and conversation preprocessors..
> >those are disabled by default in snort 2.0's conf.
>
> I haven't seen that before.  Why is it not advisable to use them?
> Just curious ....

In general, it has absurdly high memory and cpu usage, and has a lot of 
false-positive prone conditions.

I've only heard of one person who gets decent results with it (I think 
that's Erek) and that person admits their network is "not typical".


My results are that:

        - I'm on low end hardware, but enabling spp_conversation and 
spp_portscan2 gives me 10% packet loss, instead of  less than 0.1%.

        - spp_conversation and portscan2 will triple the memory 
requirements of snort 1.9.1, not sure about 2.x as it's general memory 
needs went up.

        - Any time a client connects out to an external web page 
containing a large number of images, spp_portscan2 sees all the connection 
opens as a "syn ack scan". Despite the fact that it was originated as a syn 
from my network. Portscan2_ignorehosts doesn't help, as it thinks the 
outside server is the source of the attack.


So based on an absurd FP rate, a heavy memory load, high packet losses, and 
having heard the same "syn ack scan" complaint repeatedly on the list, I've 
summarily decided that portscan2 is broken. The fact that it's disabled by 
default in 2.0 would seem to indicate that the snort devs realize it 
currently has issues.




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users