[Snort-users] Snort questions on performance

Martin Roesch roesch at ...421...
Thu Jan 18 02:15:51 EST 2001


A port scan detection will be flagged in the alert file and have it's
data stored in the portscan.log file.  Check out the "Writing Snort
Rules" document at http://www.snort.org as well as the FAQ, manpage, and
snort.conf file for information on how the portscan detector is
configured.

   -Marty

Deja User wrote:
> 
> I am running a decently powered Linux box as a snort and Tcpdump machine, Snort is in IDS mode (snort -A full -c snortfull.conf -l /LOG/snort )  and also running Tcpdump to capture all traffic coming through.  It seems that I might be dropping some packets because I?m port scanning my network using retina and I'm not seeing the port scan on Snort, and I don't even see the source address of where I am initiating the attack from (the directory is not there).  So something is wrong.  How do I know if I am dropping packets/Snort is dropping packets, and is there any degrading affect by running snort and Tcpdump on the same box. Also do I need the -h flag if I am setting my home network variable in the rule file.
> 
> Snort is getting its info by spanning the WAN vlan and sending it to the snort box, the box does not have an IP address and the eth0 is in promiscuous mode
> 
> Thanks,
> Mohammed.
> 
> ------------------------------------------------------------
> --== Sent via Deja.com ==--
> http://www.deja.com/
> 
> ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÒ?Síþë
®ÉsSX§,X¬µ)è®ßî±êìþX¬¶Ïì¢êÜyú+?ïçzѨ¶<aSÅ.Ú
?©àzë
®SmS?좻§²æìr¸>{øm¶YÿþX¬¶Ïì¢êÜyú+?ïçzßæj)fjåSËb?ú?²z+·û¬

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list