[Snort-users] Portscan preprocessors dropping packets on a si mple nmap-scan

Edin Dizdarevic edin.dizdarevic at ...7509...
Tue Jan 14 04:11:06 EST 2003


Gonzalez, Albert wrote:
> It all depends on *how* your logging. If your monitoring fast pipes (ie: t1
> and up)
> you should try tcpdump format (-b or output log_tcpdump[1]) or even better
> unified.

I'm doing that - no better results

> If you log to binary, then you can run it back through snort with an
> automated script
ACK, or Barnyard

> etc... but with a full logging, that isn't very bright with fast pipes.

There are no reliable statements on how fast the network is allowed to

According to my information, libpcap is able to capture about 
700Mbit/s, so that should not be a capturing problem. I already
suspected that, since it was no problem to capture 40000 packets
in 2 seconds with tcpdump. So, it must be a processing problem.
But which preprocessor can handle so much traffic? It should be the
possible, to mask an attack with a simple nmap scan. Isn't that
quite easy to achieve?



> Cheers!
> [1] - http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.5.6
> PS:> This is well documented in the FAQ. You shouldn't log to full (im
> assuming here) when
>      you're seeing alot of traffic. 
> ---
> Alberto Gonzalez
> EDS - Global Security Operations Center
> Security and Privacy Professional Servics
> -----Original Message-----
> From: Ashley Thomas [mailto:athomas at ...5484...]
> Sent: Monday, January 13, 2003 2:12 PM
> To: edin.dizdarevic at ...7509...
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Portscan preprocessors dropping packets on a
> simple nmap-scan
> Are you referring to the packet drops reported by snort ?
> IMHO, there might be a lot of logging being done, since you are using
> nmap to generate a lot of alert causing packets; and excessive logging will
> surely overload any IDS. (When you disable portscan preprocessor,
> those alerts are not generated, thereby not loading the IDS)
> How are you running snort ? (what are the options used ? )
> -Ashley
> Edin Dizdarevic wrote:
>>I have a strange situation here: I'm making some tests on a net
>>with heavy load. I run simple nmap X/F/N-scans having always some
>>packets dropped. I've tried 3 different NICs (Intel/3Com and
>>SIS900(Realtek)) and the problem remained. No matter which
>>portscan-preprocessor I use, some packets are dropped. Is that normal?
>>After deactivating all portscan detection everything is fine. Any docs
>>covering that?

Edin Dizdarevic

More information about the Snort-users mailing list