[Snort-users] porno rules
mkettler at ...4108...
Tue Apr 29 14:31:07 EDT 2003
At 04:07 PM 4/29/2003 -0500, Neil Dickey wrote:
>Matt Kettler <mkettler at ...4108...> wrote:
> >It's also inadvisable to use portscan2 and conversation preprocessors..
> >those are disabled by default in snort 2.0's conf.
>I haven't seen that before. Why is it not advisable to use them?
>Just curious ....
In general, it has absurdly high memory and cpu usage, and has a lot of
false-positive prone conditions.
I've only heard of one person who gets decent results with it (I think
that's Erek) and that person admits their network is "not typical".
My results are that:
- I'm on low end hardware, but enabling spp_conversation and
spp_portscan2 gives me 10% packet loss, instead of less than 0.1%.
- spp_conversation and portscan2 will triple the memory
requirements of snort 1.9.1, not sure about 2.x as it's general memory
needs went up.
- Any time a client connects out to an external web page
containing a large number of images, spp_portscan2 sees all the connection
opens as a "syn ack scan". Despite the fact that it was originated as a syn
from my network. Portscan2_ignorehosts doesn't help, as it thinks the
outside server is the source of the attack.
So based on an absurd FP rate, a heavy memory load, high packet losses, and
having heard the same "syn ack scan" complaint repeatedly on the list, I've
summarily decided that portscan2 is broken. The fact that it's disabled by
default in 2.0 would seem to indicate that the snort devs realize it
currently has issues.
More information about the Snort-users