[Snort-users] Portscan preprocessors dropping packets on a si mple nmap-scan
edin.dizdarevic at ...7509...
Tue Jan 14 07:21:04 EST 2003
Erek Adams wrote:
> On Tue, 14 Jan 2003, Edin Dizdarevic wrote:
>>There are no reliable statements on how fast the network is allowed to
> heh... Tell me about it. :)
>>According to my information, libpcap is able to capture about
>>700Mbit/s, so that should not be a capturing problem. I already
>>suspected that, since it was no problem to capture 40000 packets
>>in 2 seconds with tcpdump.
> Here's something that would be an interesting test case:
> Use netstat -i to get your in/out packets and errors for the interface
> in question. Then start snort in one window, and at the same time start
> tcpdump in another window--Be sure and log to a pcap file for both. After
> 5 or 10 seconds, stop both. Again check netstat -i and get your numbers.
> Check the numbers that netstat reports vs. snort vs. tcpdump.
As I already said, this is probably not a capturing problem. I have no
dropped packets at all in the statistics. Capturing with tcpdump is
working fine. I also captured with Snort in capture mode - no problem.
> There have been cases where it's not code, but hardware. Do you have a
> 'good' nic? How's the driver for it?
Well, I used 3Com 905C, Intel EtherExpress 100 and Realtek (SiS900)
with same results. That should be a proof enough.
>>So, it must be a processing problem. But which preprocessor can handle
>>so much traffic? It should be the possible, to mask an attack with a
>>simple nmap scan. Isn't that quite easy to achieve?
> Well, some folks that I know of with fat pipes (multi DS3s) don't run
> _any_ processors. They simply log to disk, and then post process with
> another .conf for processors. That may not work for you, but it might be
> something to consider.
Hm, N*A? ;). However, indeed a very interessting idea! Only find the
way to buffer the stuff in the traffic peaks. A FIFO perhaps?
tcpdump -n -l -i eth0 -w log.bin ; snort -r log.bin ? ;) The latency
time should not be very high.
> Hope that helps!
Thanks a lot,
> Erek Adams
> "When things get weird, the wierd turn pro." H.S. Thompson
Internet- & e-Security
iAS interActive Systems
Gesellschaft fuer interaktive Medien mbH
fon +49-(0)30 69 004-123
fax +49-(0)30 69 004-101
mail edin.dizdarevic at ...7509...
More information about the Snort-users