[Snort-users] Portscan preprocessors dropping packets on a si mple nmap-scan

Edin Dizdarevic edin.dizdarevic at ...7509...
Tue Jan 14 23:57:03 EST 2003


Hi,

->

Erek Adams wrote:
> On Tue, 14 Jan 2003, Edin Dizdarevic wrote:
> 
> [...snip...]
> 
> 
>>As I already said, this is probably not a capturing problem. I have no
>>dropped packets at all in the statistics. Capturing with tcpdump is
>>working fine. I also captured with Snort in capture mode - no problem.
>>:(
> 
> 
> Ok... I'm just trying to make sure I'm on the same page:  If you run Snort
> w/spp_portscan or portscan2 then you get dropped packets--No matter if
> you're coming off the wire or the pcap?

...or stream4, yes, according to Snort statistics after kiling with
SIGUSR1

> 
> 
>>Well, I used 3Com 905C, Intel EtherExpress 100 and Realtek (SiS900)
>>with same results. That should be a proof enough.
> 
> 
> Ok...  OS?  Is the driver for the OS stable?  I know I might sound like a
> whiner, but I'm just trying to figure things out.  :)

Linux 2.4.18/19/20, Red Hat, libcap 0.7.1, Snort 1.9.0

I had a machine that had 256M RAM, a Celeron 1500. Today I'll try
a P4 with 512M. Maybe that will help.

> 
> 
>>Hm, N*A? ;).
> 
> 
> /me whistles and looks innocent.  :)
> 
> 
>>However, indeed a very interessting idea! Only find the way to buffer
>>the stuff in the traffic peaks. A FIFO perhaps? tcpdump -n -l -i eth0 -w
>>log.bin ; snort -r log.bin ? ;) The latency time should not be very
>>high.
> 
> 
> That could work, but it all depends on your net.  FWIW, there is a named
> pipe plugin that might work for you...  Have a look at that.  :)

|8-P°°°  ...to find, where?

> 
> /me looks around for the info on it.

Nice...

> 
> Drop me an email, I'll see what I can come up with on that for you.

Here it is... ;)

> 
> Cheers!
> 
> -----
> Erek Adams
> 
>    "When things get wierd, the wierd turn pro."   H.S. Thompson
> 

-- 
Edin Dizdarevic





More information about the Snort-users mailing list