Snort mailing list archives
Re: snort option [-n packet-count ]
From: Steven Sturges <ststurge () cisco com>
Date: Thu, 22 May 2014 21:09:48 -0700
On 5/22/14, 8:43 PM, ratheesh kannoth wrote:
On Thu, May 22, 2014 at 7:55 PM, Steve Sturges (ststurge) <ststurge () cisco com> wrote:Yes, one packet at a time. Once snort is finished with a packet, it returns from callback to the daq module and waits for next packet.SourceFire production systems also uses same design ?. It looks like one packet at a time wont give much performance
Same Snort. You'd be amazed at performance. :)
That is up to the daq module... Basically If inline, that is the id (arbitrary per daq module) of the interface where packets are sent out. If passive, it isn't set.Could you pls explain a little bit more here ? Even if we configure it as inline , verdict is made for each packet . So we know from where the packet has come and where it has to go. ? I agree that if packet is put into DAQ layer using daq_reinject routine (by snort ) , may be we dont have those ( egress and ingress interface info ). I am not very sure on this statement ?
Yes, at some layer, there should be knowledge about the incoming interface, and the outgoing interface. DAQ module can provide that information to Snort. The verdict only tells the DAQ that the packet should be allowed, blocked, etc.... When Snort does an inject, it is up to DAQ module to send out the correct interface -- having the ID in the DAQ header would certainly help from my perspective, but that is dependent on the implementation of the DAQ module itself.
-Ratheesh ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- snort option [-n packet-count ] ratheesh kannoth (May 21)
- Re: snort option [-n packet-count ] Steve Sturges (ststurge) (May 22)
- Re: snort option [-n packet-count ] ratheesh kannoth (May 22)
- Re: snort option [-n packet-count ] Steven Sturges (May 22)
- Re: snort option [-n packet-count ] ratheesh kannoth (May 22)
- Re: snort option [-n packet-count ] Steve Sturges (ststurge) (May 22)