[Snort-users] porno rules

Matt Kettler mkettler at ...4108...
Tue Apr 29 14:31:07 EDT 2003


At 04:07 PM 4/29/2003 -0500, Neil Dickey wrote:

>Matt Kettler <mkettler at ...4108...> wrote:
>
> >It's also inadvisable to use portscan2 and conversation preprocessors..
> >those are disabled by default in snort 2.0's conf.
>
>I haven't seen that before.  Why is it not advisable to use them?
>Just curious ....

In general, it has absurdly high memory and cpu usage, and has a lot of 
false-positive prone conditions.

I've only heard of one person who gets decent results with it (I think 
that's Erek) and that person admits their network is "not typical".


My results are that:

         - I'm on low end hardware, but enabling spp_conversation and 
spp_portscan2 gives me 10% packet loss, instead of  less than 0.1%.

         - spp_conversation and portscan2 will triple the memory 
requirements of snort 1.9.1, not sure about 2.x as it's general memory 
needs went up.

         - Any time a client connects out to an external web page 
containing a large number of images, spp_portscan2 sees all the connection 
opens as a "syn ack scan". Despite the fact that it was originated as a syn 
from my network. Portscan2_ignorehosts doesn't help, as it thinks the 
outside server is the source of the attack.


So based on an absurd FP rate, a heavy memory load, high packet losses, and 
having heard the same "syn ack scan" complaint repeatedly on the list, I've 
summarily decided that portscan2 is broken. The fact that it's disabled by 
default in 2.0 would seem to indicate that the snort devs realize it 
currently has issues.






More information about the Snort-users mailing list