Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort mixes multiple (unrelated) payloads into one alert

From: "Eric J. Bowser" <ebowser () neobright net>
Date: Mon, 24 Jul 2006 12:50:33 -0400
Jason wrote:

The problem is packet loss. A single buffer is used for reassembly. If
you are missing packets when reassembly is done then the old data is
still in the gaps...



So to make sure I have this right... mixed data happens when there is packet
loss.  Turning on "zero_flushed_packets" will prevent the mixing, causing me
to see all 0x00 instead.

If running "zero_flushed_packets" has a performance hit associated, won't it
increase incidence of dropped packets, and make the reassembly problem even
worse?

Thanks for the info so far guys, keep it coming =)

~Eric

-- 
Eric J. Bowser
I-TRAP Internet Security Services
888-658-8727 toll-free
330-658-0123 fax
www.i-trap.net

¨Quis Custodiet Ipsos Custodes?¨

Attachment: signature.asc
Description: OpenPGP digital signature

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: