[Snort-users] Portscan preprocessors dropping packets on a simple nmap-scan
edin.dizdarevic at ...7509...
Mon Jan 13 11:35:05 EST 2003
Hi and thanks for the fast answer.
Ashley Thomas wrote:
> Are you referring to the packet drops reported by snort ?
> IMHO, there might be a lot of logging being done, since you are using
> nmap to generate a lot of alert causing packets; and excessive logging will
> surely overload any IDS.
> (When you disable portscan preprocessor,
> those alerts are not generated, thereby not loading the IDS)
Yes, that's clear. However, I would not expect that with about 3000
packets there are 10% packets dropped.
> How are you running snort ? (what are the options used ? )
- var $HOME_NET 192.168.25.0/24
- Logging in unified format alerts and logs
- checksum_mode none
- Order pass info alert log activation dynamic
- Preprocessor portscan (!) only
I tried also the combination stream4/conversation with slightly
better results. :(
snort -I -D -z -c snort.conf_eth0 -i eth0 -u snort -g snort
> Edin Dizdarevic wrote:
>> I have a strange situation here: I'm making some tests on a net
>> with heavy load. I run simple nmap X/F/N-scans having always some
>> packets dropped. I've tried 3 different NICs (Intel/3Com and
>> SIS900(Realtek)) and the problem remained. No matter which
>> portscan-preprocessor I use, some packets are dropped. Is that normal?
>> After deactivating all portscan detection everything is fine. Any docs
>> covering that?
More information about the Snort-users