Snort mailing list archives

Re: Performance again

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 23 Dec 2003 16:08:14 -0500

At 02:07 PM 12/23/2003, Edin Dizdarevic wrote:

Another useful information. Snort will never drop a packet itself, it is
always the connection BPF or LSF respectively and libpcap where packets
are being dropped, simply due to the timeouts which the BPF device has
bound to its buffers (which again may be influenced by the corresponding
libpcap-app).

 From my point of view, I think I am a step further now.


Good, glad I could help.

But: If a packet is dropped from the queue that is needed for ex.
defragmentation or in order to reassemble the TCP-stream, either I
have to throw away the complete stream/packet or my content may feature
some holes...

Yep.. but that will happen no matter where the drops occur, at the pcaplayer or at the snort layer.

That also illustrates why packet drops aren't a good thing. They areweakness a knowing attacker can take advantage of.

And it's not just tcp streams that suffer from "holes" as a result ofdrops.. ANY packet drop constitutes a hole in the data, where an attack_could_ have been. This could be udp/dns just as easily as tcp/http.

AFAIK snort tries to mitigate the impact of the holes by sending down asmuch of the data as it actually got whenever stream4 flushes. The streamsare flushed whenever data goes back over the connection, or when a timeoutexpires.

I will probably come up with few new questions later on. Have to think
about it a bit now... ;)

ok, enjoy.



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Performance again Edin Dizdarevic (Dec 23)
- Re: Performance again Brian (Dec 23)
  - Re: Performance again Edin Dizdarevic (Dec 23)
    - Re: Performance again Matt Kettler (Dec 23)
    - Re: Performance again Edin Dizdarevic (Dec 23)
    - Re: Performance again Matt Kettler (Dec 23)
    - Re: Performance again Lawrence Reed (Dec 23)
    - Re: Performance again Edin Dizdarevic (Dec 23)
    - Re: Performance again Matt Kettler (Dec 23)