[Snort-users] (no subject)
joel.esler at ...1935...
Wed May 24 09:02:09 EDT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Perhaps I don't understand whats going on. Your number of alerts
increases when speed increases?
Santi Benito wrote:
> Hello Joel, I could not respond you before because I have not been at
> home these days.
> My problem was that when my replaying rate from one computer to
> another grows the number of alerts pass from 740 at 20Mb/s to 745 at
> I am only using p2p.rules and bleeding's p2p rules also .
> I dont understand this issue.
> Another thing is, if it is normal that ethereal catches more p2p
> packets from one pcap file than snort.
> Thanks a lot.
> I think that you have the main configuration of my snort.conf file,no?
> I will be very pleased if you could help me.
> On 5/20/06, Joel Esler <joel.esler at ...1935...> wrote:
> Maybe I lost the first email, so I can't find the problem, but what is
> the problem you are having?
> Santi Benito wrote:
>> Thanks a lot Martin,but I think that I have the portscan preprocessor
>> disabled from the beginning. I do the probes with this preprocessor
>> configuration in snort.conf:
>> preprocessor flow: stats_interval 0 hash 2
>> preprocessor frag2
>> preprocessor stream4: disable_evasion_alerts detect_scans
>> preprocessor stream4_reassemble
>> preprocessor rpc_decode: 111 32771
>> preprocessor bo
>> preprocessor telnet_decode
>> I think that for my purpose, see how many alerts of only p2p traffic it
>> detects, I also could disable all the preprocessors, I also saw one
>> time that preprocessor http_inspect generated me a lot of alerts and I
>> disabled it.
>> So if have that configuration, and the problems continues existing,
>> what could be the cause?
>> My professor has told me to use tethereal,and it catches muck more
>> packets than snort, but at 50Mb/s begins dropping packets....so I
>> would like to solve the problem of snort, but I don`t know how.
>> Thanks a lot, I expect no to have bored you.
>> Using Tomcat but need to do more? Need to support web services,
>> Get stuff done quickly with pre-integrated technology to make your job
>> Download IBM WebSphere Application Server v.1.0.1 based on Apache
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> Snort-users list archive:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Snort-users