[Snort-users] Portscan preprocessors dropping packets on a si mple nmap-scan

Erek Adams erek at ...950...
Tue Jan 14 06:19:03 EST 2003


On Tue, 14 Jan 2003, Edin Dizdarevic wrote:

[...snip...]

> There are no reliable statements on how fast the network is allowed to
> be.

heh...  Tell me about it.  :)

> According to my information, libpcap is able to capture about
> 700Mbit/s, so that should not be a capturing problem. I already
> suspected that, since it was no problem to capture 40000 packets
> in 2 seconds with tcpdump.

Here's something that  would be an interesting test case:

  Use netstat -i to get your in/out packets and errors for the interface
in question.  Then start snort in one window, and at the same time start
tcpdump in another window--Be sure and log to a pcap file for both.  After
5 or 10 seconds, stop both.  Again check netstat -i and get your numbers.
Check the numbers that netstat reports vs. snort vs. tcpdump.

There have been cases where it's not code, but hardware.  Do you have a
'good' nic?  How's the driver for it?

> So, it must be a processing problem. But which preprocessor can handle
> so much traffic? It should be the possible, to mask an attack with a
> simple nmap scan. Isn't that quite easy to achieve?

Well, some folks that I know of with fat pipes (multi DS3s) don't run
_any_ processors.  They simply log to disk, and then post process with
another .conf for processors.  That may not work for you, but it might be
something to consider.

Hope that helps!

-----
Erek Adams

   "When things get weird, the wierd turn pro."   H.S. Thompson




More information about the Snort-users mailing list