[Snort-users] Portscan preprocessors dropping packets on a si mple nmap-scan
albert.gonzalez at ...7950...
Mon Jan 13 12:01:11 EST 2003
It all depends on *how* your logging. If your monitoring fast pipes (ie: t1
you should try tcpdump format (-b or output log_tcpdump) or even better
If you log to binary, then you can run it back through snort with an
etc... but with a full logging, that isn't very bright with fast pipes.
 - http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5.6
PS:> This is well documented in the FAQ. You shouldn't log to full (im
assuming here) when
you're seeing alot of traffic.
EDS - Global Security Operations Center
Security and Privacy Professional Servics
From: Ashley Thomas [mailto:athomas at ...5484...]
Sent: Monday, January 13, 2003 2:12 PM
To: edin.dizdarevic at ...7509...
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Portscan preprocessors dropping packets on a
Are you referring to the packet drops reported by snort ?
IMHO, there might be a lot of logging being done, since you are using
nmap to generate a lot of alert causing packets; and excessive logging will
surely overload any IDS. (When you disable portscan preprocessor,
those alerts are not generated, thereby not loading the IDS)
How are you running snort ? (what are the options used ? )
Edin Dizdarevic wrote:
> I have a strange situation here: I'm making some tests on a net
> with heavy load. I run simple nmap X/F/N-scans having always some
> packets dropped. I've tried 3 different NICs (Intel/3Com and
> SIS900(Realtek)) and the problem remained. No matter which
> portscan-preprocessor I use, some packets are dropped. Is that normal?
> After deactivating all portscan detection everything is fine. Any docs
> covering that?
College of Computing
More information about the Snort-users