[Snort-users] Speed & pacing of portscan log?
jesus.couto at ...3830...
Wed Oct 31 11:45:02 EST 2001
I'm testing some ways to get the portscan log translated to our central
console in "real time",
and found some weird things with the speed & pacing of the portscan
For example, configuring snort with HOME_NET pointing to a single host,
that host with nmap, I have found that the slower the scan is, the
"faster" the logging!
If I scan at the normal speed, the portscan log shows nothing, and keeps
till I do another scan, or a different kind of scan (a FIN scan, say).
If I scan at -T Polite (.4 seconds between probes), I get a constant
stream of packets to the log, and its just the last few packets that
are forever in the twilight zone unless I do another scan.
Configuration is: snort 1.8.1-RELEASE with the latest ruleset, portscan
preprocessor portscan: $HOME_NET 4 6 portscan.log
and output to MySQL database. All running on a RedHat 7.1 machine.
Any idea what I'm doing wrong? Or its is to be expected?
Jesús Couto F.
More information about the Snort-users