Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: question about paf

From: "Russ Combs (rucombs)" <rucombs () cisco com>
Date: Thu, 18 Dec 2014 16:35:21 +0000

________________________________
From: Hyunseok [hyunseok () ieee org]
Sent: Thursday, December 18, 2014 10:09 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] question about paf

Hi,
I have a question about protocol aware flushing (paf).
As I understand, paf allows snort to more intelligently deal with flushing.

However, there is paf_max which defines maximum pdu snort can handle.

config paf_max: <max-pdu>
where <max-pdu> is between zero (off) and 63780.

So does this mean that if a given attack somehow spans across a large data stream of more than 63K size, snort will 
fail to detect it because snort will eventually flush buffer in the middle of the stream?  If so, is that safe?

* It certainly could cause detection to fail.  Snort, like all software, has pragmatic constraints like this because it 
has to stop buffering and start detecting at some point.  There are other strategies, like running bytes through 
detection multiple times, but that degrades performance significantly.  Snort instead attempts to reassemble PDUs so 
that detection examines what the receiving application processes.

* There are ways to deal with the limits though.  If a PDU must be split, Snort shifts the split point by a random 
amount to make it less predictable.  Also, the issue you bring up could be handled by setting a flow bit on an earlier 
PDU or PDU part and checking that when detecting a later PDU or PDU part.  Also, preprocessors check for any conditions 
that must be detected before the PDU is assembled.

-HS


------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: