[Snort-users] Portscan preprocessors dropping packets on a si mple nmap-scan
erek at ...950...
Tue Jan 14 21:55:05 EST 2003
On Tue, 14 Jan 2003, Edin Dizdarevic wrote:
> As I already said, this is probably not a capturing problem. I have no
> dropped packets at all in the statistics. Capturing with tcpdump is
> working fine. I also captured with Snort in capture mode - no problem.
Ok... I'm just trying to make sure I'm on the same page: If you run Snort
w/spp_portscan or portscan2 then you get dropped packets--No matter if
you're coming off the wire or the pcap?
> Well, I used 3Com 905C, Intel EtherExpress 100 and Realtek (SiS900)
> with same results. That should be a proof enough.
Ok... OS? Is the driver for the OS stable? I know I might sound like a
whiner, but I'm just trying to figure things out. :)
> Hm, N*A? ;).
/me whistles and looks innocent. :)
> However, indeed a very interessting idea! Only find the way to buffer
> the stuff in the traffic peaks. A FIFO perhaps? tcpdump -n -l -i eth0 -w
> log.bin ; snort -r log.bin ? ;) The latency time should not be very
That could work, but it all depends on your net. FWIW, there is a named
pipe plugin that might work for you... Have a look at that. :)
/me looks around for the info on it.
Drop me an email, I'll see what I can come up with on that for you.
"When things get wierd, the wierd turn pro." H.S. Thompson
More information about the Snort-users