[Snort-users] Portscan preprocessors dropping packets on a simple nmap-scan

Edin Dizdarevic edin.dizdarevic at ...7509...
Mon Jan 13 11:35:05 EST 2003


Hi and thanks for the fast answer.

->

Ashley Thomas wrote:
> Are you referring to the packet drops reported by snort ?

Yes

> 
> IMHO, there might be a lot of logging being done, since you are using
> nmap to generate a lot of alert causing packets; and excessive logging will
> surely overload any IDS. 

:(


 > (When you disable portscan preprocessor,
> those alerts are not generated, thereby not loading the IDS)

Yes, that's clear. However, I would not expect that with about 3000
packets there are 10% packets dropped.


> 
> How are you running snort ? (what are the options used ? )

- var $HOME_NET 192.168.25.0/24
- Logging in unified format alerts and logs
- checksum_mode none
- Order pass info alert log activation dynamic
- Preprocessor portscan (!) only

I tried also the combination stream4/conversation with slightly
better results. :(

Command line:

snort -I -D -z -c snort.conf_eth0 -i eth0 -u snort -g snort


> 
> -Ashley
> 
> Edin Dizdarevic wrote:
> 
>>
>> Hello,
>>
>> I have a strange situation here: I'm making some tests on a net
>> with heavy load. I run simple nmap X/F/N-scans having always some
>> packets dropped. I've tried 3 different NICs (Intel/3Com and
>> SIS900(Realtek)) and the problem remained. No matter which
>> portscan-preprocessor I use, some packets are dropped. Is that normal?
>> After deactivating all portscan detection everything is fine. Any docs
>> covering that?
>>
>> Regards,
>>
>> Edin

Regards,

Edin_

-- 
Edin Dizdarevic





More information about the Snort-users mailing list