Snort mailing list archives
Re: Performance again
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 23 Dec 2003 16:08:14 -0500
At 02:07 PM 12/23/2003, Edin Dizdarevic wrote:
Another useful information. Snort will never drop a packet itself, it is always the connection BPF or LSF respectively and libpcap where packets are being dropped, simply due to the timeouts which the BPF device has bound to its buffers (which again may be influenced by the corresponding libpcap-app). From my point of view, I think I am a step further now.
Good, glad I could help.
But: If a packet is dropped from the queue that is needed for ex. defragmentation or in order to reassemble the TCP-stream, either I have to throw away the complete stream/packet or my content may feature some holes...
Yep.. but that will happen no matter where the drops occur, at the pcap layer or at the snort layer.
That also illustrates why packet drops aren't a good thing. They are weakness a knowing attacker can take advantage of.
And it's not just tcp streams that suffer from "holes" as a result of drops.. ANY packet drop constitutes a hole in the data, where an attack _could_ have been. This could be udp/dns just as easily as tcp/http.
AFAIK snort tries to mitigate the impact of the holes by sending down as much of the data as it actually got whenever stream4 flushes. The streams are flushed whenever data goes back over the connection, or when a timeout expires.
I will probably come up with few new questions later on. Have to think about it a bit now... ;)
ok, enjoy.
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Performance again Edin Dizdarevic (Dec 23)
- Re: Performance again Brian (Dec 23)
- Re: Performance again Edin Dizdarevic (Dec 23)
- Re: Performance again Matt Kettler (Dec 23)
- Re: Performance again Edin Dizdarevic (Dec 23)
- Re: Performance again Matt Kettler (Dec 23)
- Re: Performance again Lawrence Reed (Dec 23)
- Re: Performance again Edin Dizdarevic (Dec 23)
- Re: Performance again Matt Kettler (Dec 23)
- Re: Performance again Edin Dizdarevic (Dec 23)
- Re: Performance again Brian (Dec 23)