Snort mailing list archives
Re: Trivial question
From: Reinoud Koornstra <sockstat () hotmail com>
Date: Thu, 12 Sep 2013 20:19:07 +0000
Ok, thanks. Does this also hold for snort reading a pcap containing an ftp session? Date: Thu, 12 Sep 2013 15:50:21 -0400 Subject: Re: [Snort-devel] Trivial question From: rcombs () sourcefire com To: sockstat () hotmail com CC: snort-devel () lists sourceforge net Snort reassembles different protocols differently. The 17K number is close to the paf_max default of 16K. PDUs (protocol data units like an HTTP response) larger than paf_max are truncated into paf_max blocks for processing by Snort. The FTP data channel does not get reassembled in that fashion. Simplifying things, in inline IPS mode, it will reassemble every 2 data segments. Otherwise, every 2 or more acknowledged data segments, upon acknowledgement. Typically this will be around 2*1460 = 2920 bytes. So, based on the limited info in your question, the answer is yes, that is correct. On Wed, Sep 11, 2013 at 3:17 PM, Reinoud Koornstra <sockstat () hotmail com> wrote: Dear Everyone, When i run http traffic through snort, while snort is in inline mode and monitoring the sizeo of the packets, I see that every 4 of more full mtu packets a packet of 17k bytes is being processed by snort. I am seeing this with most kind of traffic, but not with ftp. Is that correct or not? Thanks, Reinoud. ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Trivial question Reinoud Koornstra (Sep 11)
- Re: Trivial question Russ Combs (Sep 12)
- Re: Trivial question Reinoud Koornstra (Sep 12)
- Re: Trivial question Russ Combs (Sep 12)
- Re: Trivial question Reinoud Koornstra (Sep 12)
- Re: Trivial question Reinoud Koornstra (Sep 12)
- Re: Trivial question Russ Combs (Sep 12)