[Snort-users] porno rules -- portscan2 &c

Neil Dickey neil at ...1633...
Tue Apr 29 14:48:04 EDT 2003

Matt Kettler <mkettler at ...4108...> wrote in response to me:

>I've only heard of one person who gets decent results with it (I think 
>that's Erek) and that person admits their network is "not typical".

Hmmm.  Maybe there's two of us now ....  ;-)

>         - I'm on low end hardware, but enabling spp_conversation and 
>spp_portscan2 gives me 10% packet loss, instead of  less than 0.1%.

I'm using a Sparc5 with Solaris2.7 and ~200 megs of RAM.  It's not high-
end by any means.  ;-)

These are my stats for the last 24 hours:

Snort analyzed 34234527 out of 34234527 packets, 
dropping 0(0.000%) packets
Breakdown by protocol:                Action Stats:
    TCP: 32566819   (95.129%)         ALERTS: 862       
    UDP: 1029519    (3.007%)          LOGGED: 816       
   ICMP: 13837      (0.040%)          PASSED: 9231      
    ARP: 35819      (0.105%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 258        (0.001%)
  OTHER: 575986     (1.682%)
DISCARD: 0          (0.000%)

>         - spp_conversation and portscan2 will triple the memory 
>requirements of snort 1.9.1, not sure about 2.x as it's general memory 
>needs went up.

I'm using 2.0.0 -- maybe it's better behaved.

>         - Any time a client connects out to an external web page 
>containing a large number of images, spp_portscan2 sees all the connection 
>opens as a "syn ack scan". Despite the fact that it was originated as a syn 
>from my network. Portscan2_ignorehosts doesn't help, as it thinks the 
>outside server is the source of the attack.

I've gotten a few false positives, but not very many and their footprints
are small in the logs.

I certainly see why you hold your opinion, and you have reason to hold it,
but so far my experience has been different from yours.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois

More information about the Snort-users mailing list