[Snort-users] Portscan preprocessors dropping packets on a simple nmap-scan

Edin Dizdarevic edin.dizdarevic at ...7509...
Mon Jan 13 11:35:05 EST 2003

Hi and thanks for the fast answer.


Ashley Thomas wrote:
> Are you referring to the packet drops reported by snort ?


> IMHO, there might be a lot of logging being done, since you are using
> nmap to generate a lot of alert causing packets; and excessive logging will
> surely overload any IDS. 


 > (When you disable portscan preprocessor,
> those alerts are not generated, thereby not loading the IDS)

Yes, that's clear. However, I would not expect that with about 3000
packets there are 10% packets dropped.

> How are you running snort ? (what are the options used ? )

- var $HOME_NET
- Logging in unified format alerts and logs
- checksum_mode none
- Order pass info alert log activation dynamic
- Preprocessor portscan (!) only

I tried also the combination stream4/conversation with slightly
better results. :(

Command line:

snort -I -D -z -c snort.conf_eth0 -i eth0 -u snort -g snort

> -Ashley
> Edin Dizdarevic wrote:
>> Hello,
>> I have a strange situation here: I'm making some tests on a net
>> with heavy load. I run simple nmap X/F/N-scans having always some
>> packets dropped. I've tried 3 different NICs (Intel/3Com and
>> SIS900(Realtek)) and the problem remained. No matter which
>> portscan-preprocessor I use, some packets are dropped. Is that normal?
>> After deactivating all portscan detection everything is fine. Any docs
>> covering that?
>> Regards,
>> Edin



Edin Dizdarevic

More information about the Snort-users mailing list