Snort mailing list archives
Re: Snort.org Blog: Snort 2.9.1 beta coming soon!
From: Russ Combs <rcombs () sourcefire com>
Date: Mon, 13 Jun 2011 16:01:59 -0400
On Mon, Jun 13, 2011 at 3:03 PM, Martin Holste <mcholste () gmail com> wrote:
No - that is still TBD. Are you seeing much traffic like this or just concerned about attacks?Both. We see 206's sent with extreme regularity both in legitimate and illegitimate applications.
If you have any pcaps you can share I'll fold them into our test data.
No - logging is in the main thread.Ok, I get why stream reassembly is theoretically more efficient in a single thread because of CPU caching, etc., but I don't understand why packets still have to wait in line for a u2 entry to be written. It seems like tossing output from the main thread into an async output thread would be pretty easy because you don't have to keep state and everything is one-way. For alerting, the volume is not an issue, but as more analysts use packet tagging and now HTTP logging, the strain on that single main thread is going to cause packet drops for some if they're not extremely careful. If I'm missing something, I'd be grateful for clarification.
Agreed. I don't think this issue has reached a point where it is on our roadmap yet, but all the extra logging could lead to reevaluating sooner rather than later. Thanks for your comments.
------------------------------------------------------------------------------EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Re: Snort.org Blog: Snort 2.9.1 beta coming soon!, (continued)
- Re: Snort.org Blog: Snort 2.9.1 beta coming soon! firnsy (Jun 14)
- Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Joel Esler (Jun 14)
- Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Randal T. Rioux (Jun 14)
- Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Joel Esler (Jun 14)
- Re: Snort.org Blog: Snort 2.9.1 beta coming soon! firnsy (Jun 15)
- Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Joel Esler (Jun 15)
- Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Steven Sturges (Jun 15)
- Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Joel Esler (Jun 15)
- Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Randal T. Rioux (Jun 15)
- Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Martin Holste (Jun 13)
- Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Russ Combs (Jun 13)
- Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Joel Esler (Jun 13)