[Snort-users] Portscan preprocessors dropping packets on a si mple nmap-scan

Erek Adams erek at ...950...
Tue Jan 14 21:55:05 EST 2003

On Tue, 14 Jan 2003, Edin Dizdarevic wrote:


> As I already said, this is probably not a capturing problem. I have no
> dropped packets at all in the statistics. Capturing with tcpdump is
> working fine. I also captured with Snort in capture mode - no problem.
> :(

Ok... I'm just trying to make sure I'm on the same page:  If you run Snort
w/spp_portscan or portscan2 then you get dropped packets--No matter if
you're coming off the wire or the pcap?

> Well, I used 3Com 905C, Intel EtherExpress 100 and Realtek (SiS900)
> with same results. That should be a proof enough.

Ok...  OS?  Is the driver for the OS stable?  I know I might sound like a
whiner, but I'm just trying to figure things out.  :)

> Hm, N*A? ;).

/me whistles and looks innocent.  :)

> However, indeed a very interessting idea! Only find the way to buffer
> the stuff in the traffic peaks. A FIFO perhaps? tcpdump -n -l -i eth0 -w
> log.bin ; snort -r log.bin ? ;) The latency time should not be very
> high.

That could work, but it all depends on your net.  FWIW, there is a named
pipe plugin that might work for you...  Have a look at that.  :)

/me looks around for the info on it.

Drop me an email, I'll see what I can come up with on that for you.


Erek Adams

   "When things get wierd, the wierd turn pro."   H.S. Thompson

More information about the Snort-users mailing list