Re: Portscan preprocessors dropping packets on a si mple nmap-scan

[Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>]

Hi Erek,

Erek Adams wrote:
> On Tue, 14 Jan 2003, Edin Dizdarevic wrote:
>
> [...snip...]
>
>
> > There are no reliable statements on how fast the network is allowed to
> > be.
>
>
> heh...  Tell me about it.  :)
>
>
> > According to my information, libpcap is able to capture about
> > 700Mbit/s, so that should not be a capturing problem. I already
> > suspected that, since it was no problem to capture 40000 packets
> > in 2 seconds with tcpdump.
>
>
> Here's something that  would be an interesting test case:
>
>   Use netstat -i to get your in/out packets and errors for the interface
> in question.  Then start snort in one window, and at the same time start
> tcpdump in another window--Be sure and log to a pcap file for both.  After
> 5 or 10 seconds, stop both.  Again check netstat -i and get your numbers.
> Check the numbers that netstat reports vs. snort vs. tcpdump.

As I already said, this is probably not a capturing problem. I have no
dropped packets at all in the statistics. Capturing with tcpdump is
working fine. I also captured with Snort in capture mode - no problem.
:(

> There have been cases where it's not code, but hardware.  Do you have a
> 'good' nic?  How's the driver for it?

Well, I used 3Com 905C, Intel EtherExpress 100 and Realtek (SiS900)
with same results. That should be a proof enough.

> > So, it must be a processing problem. But which preprocessor can handle
> > so much traffic? It should be the possible, to mask an attack with a
> > simple nmap scan. Isn't that quite easy to achieve?
>
>
> Well, some folks that I know of with fat pipes (multi DS3s) don't run
> _any_ processors.  They simply log to disk, and then post process with
> another .conf for processors.  That may not work for you, but it might be
> something to consider.

Hm, N*A? ;). However, indeed a very interessting idea! Only find the
way to buffer the stuff in the traffic peaks. A FIFO perhaps?
tcpdump -n -l -i eth0 -w log.bin ; snort -r log.bin ? ;) The latency
time should not be very high.


> Hope that helps!

Thanks a lot,

Edin_


> -----
> Erek Adams
>
>    "When things get weird, the wierd turn pro."   H.S. Thompson

--
Edin Dizdarevic
Networking Unit
Internet- & e-Security

iAS interActive Systems
Gesellschaft fuer interaktive Medien mbH
Dieffenbachstr. 33c
10967 Berlin
Germany

fon     +49-(0)30 69 004-123
fax     +49-(0)30 69 004-101
mail    edin.dizdarevic () interActive-Systems de
URL     http://www.interActive-Systems.de/security



-------------------------------------------------------
This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your  SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users