[Snort-users] Portscan preprocessors dropping packets on a simple nmap-scan

Ashley Thomas athomas at ...5484...
Mon Jan 13 11:15:03 EST 2003


Are you referring to the packet drops reported by snort ?

IMHO, there might be a lot of logging being done, since you are using
nmap to generate a lot of alert causing packets; and excessive logging will
surely overload any IDS. (When you disable portscan preprocessor,
those alerts are not generated, thereby not loading the IDS)

How are you running snort ? (what are the options used ? )

-Ashley

Edin Dizdarevic wrote:

>
> Hello,
>
> I have a strange situation here: I'm making some tests on a net
> with heavy load. I run simple nmap X/F/N-scans having always some
> packets dropped. I've tried 3 different NICs (Intel/3Com and
> SIS900(Realtek)) and the problem remained. No matter which
> portscan-preprocessor I use, some packets are dropped. Is that normal?
> After deactivating all portscan detection everything is fine. Any docs
> covering that?
>
> Regards,
>
> Edin
>
>


-- 
Ashley Thomas
Research scientist
College of Computing
Georgia Tech.






More information about the Snort-users mailing list