[Snort-users] Speed & pacing of portscan log?

Jesus Couto jesus.couto at ...3830...
Wed Oct 31 11:45:02 EST 2001


I'm testing some ways to get the portscan log translated to our central 
console in "real time",
and found some weird things with the speed & pacing of the portscan 
preprocessor log.

For example, configuring snort with HOME_NET pointing to a single host, 
and scanning
that host with nmap, I have found that the slower the scan is, the 
"faster" the logging!
If I scan at the normal speed, the portscan log shows nothing, and keeps 
showing nothing
till I do another scan, or a different kind of scan (a FIN scan, say). 
If I scan at -T Polite (.4 seconds between probes), I get a constant 
stream of packets to the log, and its just the last few packets that 
are  forever in the twilight zone unless I do another scan.

Configuration is: snort 1.8.1-RELEASE with the latest ruleset, portscan 
module configured

preprocessor portscan: $HOME_NET 4 6 portscan.log

and output to MySQL database. All running on a RedHat 7.1 machine.

Any idea what I'm doing wrong? Or its is to be expected?

Jesús Couto F.

More information about the Snort-users mailing list