[Snort-users] Portscan preprocessors dropping packets on a si mple nmap-scan

Edin Dizdarevic edin.dizdarevic at ...7509...
Tue Jan 14 07:21:04 EST 2003


Hi Erek,

Erek Adams wrote:
> On Tue, 14 Jan 2003, Edin Dizdarevic wrote:
> 
> [...snip...]
> 
> 
>>There are no reliable statements on how fast the network is allowed to
>>be.
> 
> 
> heh...  Tell me about it.  :)
> 
> 
>>According to my information, libpcap is able to capture about
>>700Mbit/s, so that should not be a capturing problem. I already
>>suspected that, since it was no problem to capture 40000 packets
>>in 2 seconds with tcpdump.
> 
> 
> Here's something that  would be an interesting test case:
> 
>   Use netstat -i to get your in/out packets and errors for the interface
> in question.  Then start snort in one window, and at the same time start
> tcpdump in another window--Be sure and log to a pcap file for both.  After
> 5 or 10 seconds, stop both.  Again check netstat -i and get your numbers.
> Check the numbers that netstat reports vs. snort vs. tcpdump.

As I already said, this is probably not a capturing problem. I have no
dropped packets at all in the statistics. Capturing with tcpdump is
working fine. I also captured with Snort in capture mode - no problem.
:(

> 
> There have been cases where it's not code, but hardware.  Do you have a
> 'good' nic?  How's the driver for it?

Well, I used 3Com 905C, Intel EtherExpress 100 and Realtek (SiS900)
with same results. That should be a proof enough.

> 
> 
>>So, it must be a processing problem. But which preprocessor can handle
>>so much traffic? It should be the possible, to mask an attack with a
>>simple nmap scan. Isn't that quite easy to achieve?
> 
> 
> Well, some folks that I know of with fat pipes (multi DS3s) don't run
> _any_ processors.  They simply log to disk, and then post process with
> another .conf for processors.  That may not work for you, but it might be
> something to consider.

Hm, N*A? ;). However, indeed a very interessting idea! Only find the
way to buffer the stuff in the traffic peaks. A FIFO perhaps?
tcpdump -n -l -i eth0 -w log.bin ; snort -r log.bin ? ;) The latency
time should not be very high.


> 
> Hope that helps!

Thanks a lot,

Edin_


> 
> -----
> Erek Adams
> 
>    "When things get weird, the wierd turn pro."   H.S. Thompson
> 

-- 
Edin Dizdarevic
Networking Unit
Internet- & e-Security

iAS interActive Systems
Gesellschaft fuer interaktive Medien mbH
Dieffenbachstr. 33c
10967 Berlin
Germany

fon     +49-(0)30 69 004-123
fax     +49-(0)30 69 004-101
mail    edin.dizdarevic at ...7509...
URL     http://www.interActive-Systems.de/security





More information about the Snort-users mailing list