Snort mailing list archives

Re: Snort.org Blog: Snort 2.9.1 beta coming soon!

From: Russ Combs <rcombs () sourcefire com>
Date: Mon, 13 Jun 2011 16:01:59 -0400

On Mon, Jun 13, 2011 at 3:03 PM, Martin Holste <mcholste () gmail com> wrote:

No - that is still TBD.  Are you seeing much traffic like this or just
concerned about attacks?


Both.  We see 206's sent with extreme regularity both in legitimate
and illegitimate applications.


If you have any pcaps you can share I'll fold them into our test data.

No - logging is in the main thread.


Ok, I get why stream reassembly is theoretically more efficient in a
single thread because of CPU caching, etc., but I don't understand why
packets still have to wait in line for a u2 entry to be written.  It
seems like tossing output from the main thread into an async output
thread would be pretty easy because you don't have to keep state and
everything is one-way.  For alerting, the volume is not an issue, but
as more analysts use packet tagging and now HTTP logging, the strain
on that single main thread is going to cause packet drops for some if
they're not extremely careful.  If I'm missing something, I'd be
grateful for clarification.


Agreed.  I don't think this issue has reached a point where it is on our
roadmap yet, but all the extra logging could lead to reevaluating sooner
rather than later.  Thanks for your comments.

------------------------------------------------------------------------------

EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Current thread:

Re: Snort.org Blog: Snort 2.9.1 beta coming soon!, (continued)
- - - Re: Snort.org Blog: Snort 2.9.1 beta coming soon! firnsy (Jun 14)
    - Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Joel Esler (Jun 14)
    - Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Randal T. Rioux (Jun 14)
    - Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Joel Esler (Jun 14)
    - Re: Snort.org Blog: Snort 2.9.1 beta coming soon! firnsy (Jun 15)
    - Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Joel Esler (Jun 15)
    - Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Steven Sturges (Jun 15)
    - Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Joel Esler (Jun 15)
    - Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Randal T. Rioux (Jun 15)
    - Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Martin Holste (Jun 13)
    - Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Russ Combs (Jun 13)
    - Re: Snort.org Blog: Snort 2.9.1 beta coming soon! Joel Esler (Jun 13)