[Snort-users] Portscan2 woes
mkettler at ...4108...
Fri May 2 11:15:28 EDT 2003
I have the same problem... false "syn ack scan" alerts that I can reliably
produce by loading a web page with a large number of embedded images....
do a kill -USR1 on your snort process and check syslog. Are you dropping a
lot of packets? if so, that may be the cause.
I found that when running portscan2 and conversation I had almost 10%
packet drop rate, and an absurdly high false positive rate.
Disabling it fixed the packet drop rate problem, and also made snort use
significantly less memory. I guess it's just not cut out for lower-end
At 12:04 PM 5/2/2003 -0400, Robin Brown wrote:
>I'd like to use it, but I keep getting alerted on what looks like normal
>return web traffic:
More information about the Snort-users