[Snort-users] Portscan2 woes

Matt Kettler mkettler at ...4108...
Fri May 2 11:15:28 EDT 2003


I have the same problem... false "syn ack scan" alerts that I can reliably 
produce by loading a web page with a large number of embedded images....

do a kill -USR1 on your snort process and check syslog. Are you dropping a 
lot of packets? if so, that may be the cause.

I found that when running portscan2 and conversation I had almost 10% 
packet drop rate, and an absurdly high false positive rate.

Disabling it fixed the packet drop rate problem, and also made snort use 
significantly less memory. I guess it's just not cut out for lower-end 
hardware.

At 12:04 PM 5/2/2003 -0400, Robin Brown wrote:
>I'd like to use it, but I keep getting alerted on what looks like normal
>return web traffic:





More information about the Snort-users mailing list