[Snort-users] Portscan preprocessors dropping packets on a si mple nmap-scan

Gonzalez, Albert albert.gonzalez at ...7950...
Mon Jan 13 12:01:11 EST 2003

It all depends on *how* your logging. If your monitoring fast pipes (ie: t1
and up)
you should try tcpdump format (-b or output log_tcpdump[1]) or even better
If you log to binary, then you can run it back through snort with an
automated script
etc... but with a full logging, that isn't very bright with fast pipes.


[1] - http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5.6

PS:> This is well documented in the FAQ. You shouldn't log to full (im
assuming here) when
     you're seeing alot of traffic. 

Alberto Gonzalez
EDS - Global Security Operations Center
Security and Privacy Professional Servics

-----Original Message-----
From: Ashley Thomas [mailto:athomas at ...5484...]
Sent: Monday, January 13, 2003 2:12 PM
To: edin.dizdarevic at ...7509...
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Portscan preprocessors dropping packets on a
simple nmap-scan

Are you referring to the packet drops reported by snort ?

IMHO, there might be a lot of logging being done, since you are using
nmap to generate a lot of alert causing packets; and excessive logging will
surely overload any IDS. (When you disable portscan preprocessor,
those alerts are not generated, thereby not loading the IDS)

How are you running snort ? (what are the options used ? )


Edin Dizdarevic wrote:

> Hello,
> I have a strange situation here: I'm making some tests on a net
> with heavy load. I run simple nmap X/F/N-scans having always some
> packets dropped. I've tried 3 different NICs (Intel/3Com and
> SIS900(Realtek)) and the problem remained. No matter which
> portscan-preprocessor I use, some packets are dropped. Is that normal?
> After deactivating all portscan detection everything is fine. Any docs
> covering that?
> Regards,
> Edin

Ashley Thomas
Research scientist
College of Computing
Georgia Tech.

More information about the Snort-users mailing list