[Snort-users] Portscan preprocessors dropping packets on a simple nmap-scan
athomas at ...5484...
Mon Jan 13 11:15:03 EST 2003
Are you referring to the packet drops reported by snort ?
IMHO, there might be a lot of logging being done, since you are using
nmap to generate a lot of alert causing packets; and excessive logging will
surely overload any IDS. (When you disable portscan preprocessor,
those alerts are not generated, thereby not loading the IDS)
How are you running snort ? (what are the options used ? )
Edin Dizdarevic wrote:
> I have a strange situation here: I'm making some tests on a net
> with heavy load. I run simple nmap X/F/N-scans having always some
> packets dropped. I've tried 3 different NICs (Intel/3Com and
> SIS900(Realtek)) and the problem remained. No matter which
> portscan-preprocessor I use, some packets are dropped. Is that normal?
> After deactivating all portscan detection everything is fine. Any docs
> covering that?
College of Computing
More information about the Snort-users