[Snort-users] porno rules -- portscan2 &c
neil at ...1633...
Tue Apr 29 14:48:04 EDT 2003
Matt Kettler <mkettler at ...4108...> wrote in response to me:
>I've only heard of one person who gets decent results with it (I think
>that's Erek) and that person admits their network is "not typical".
Hmmm. Maybe there's two of us now .... ;-)
> - I'm on low end hardware, but enabling spp_conversation and
>spp_portscan2 gives me 10% packet loss, instead of less than 0.1%.
I'm using a Sparc5 with Solaris2.7 and ~200 megs of RAM. It's not high-
end by any means. ;-)
These are my stats for the last 24 hours:
Snort analyzed 34234527 out of 34234527 packets,
dropping 0(0.000%) packets
Breakdown by protocol: Action Stats:
TCP: 32566819 (95.129%) ALERTS: 862
UDP: 1029519 (3.007%) LOGGED: 816
ICMP: 13837 (0.040%) PASSED: 9231
ARP: 35819 (0.105%)
EAPOL: 0 (0.000%)
IPv6: 0 (0.000%)
IPX: 258 (0.001%)
OTHER: 575986 (1.682%)
DISCARD: 0 (0.000%)
> - spp_conversation and portscan2 will triple the memory
>requirements of snort 1.9.1, not sure about 2.x as it's general memory
>needs went up.
I'm using 2.0.0 -- maybe it's better behaved.
> - Any time a client connects out to an external web page
>containing a large number of images, spp_portscan2 sees all the connection
>opens as a "syn ack scan". Despite the fact that it was originated as a syn
>from my network. Portscan2_ignorehosts doesn't help, as it thinks the
>outside server is the source of the attack.
I've gotten a few false positives, but not very many and their footprints
are small in the logs.
I certainly see why you hold your opinion, and you have reason to hold it,
but so far my experience has been different from yours.
Neil Dickey, Ph.D.
Northern Illinois University
More information about the Snort-users