Snort mailing list archives
Re: question about paf
From: "Russ Combs (rucombs)" <rucombs () cisco com>
Date: Thu, 18 Dec 2014 16:35:21 +0000
________________________________ From: Hyunseok [hyunseok () ieee org] Sent: Thursday, December 18, 2014 10:09 AM To: snort-users () lists sourceforge net Subject: [Snort-users] question about paf Hi, I have a question about protocol aware flushing (paf). As I understand, paf allows snort to more intelligently deal with flushing. However, there is paf_max which defines maximum pdu snort can handle. config paf_max: <max-pdu> where <max-pdu> is between zero (off) and 63780. So does this mean that if a given attack somehow spans across a large data stream of more than 63K size, snort will fail to detect it because snort will eventually flush buffer in the middle of the stream? If so, is that safe? * It certainly could cause detection to fail. Snort, like all software, has pragmatic constraints like this because it has to stop buffering and start detecting at some point. There are other strategies, like running bytes through detection multiple times, but that degrades performance significantly. Snort instead attempts to reassemble PDUs so that detection examines what the receiving application processes. * There are ways to deal with the limits though. If a PDU must be split, Snort shifts the split point by a random amount to make it less predictable. Also, the issue you bring up could be handled by setting a flow bit on an earlier PDU or PDU part and checking that when detecting a later PDU or PDU part. Also, preprocessors check for any conditions that must be detected before the PDU is assembled. -HS
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- question about paf Hyunseok (Dec 18)
- Re: question about paf Russ Combs (rucombs) (Dec 18)
- Re: question about paf Hyunseok (Dec 18)
- Re: question about paf Russ Combs (rucombs) (Dec 18)
- Re: question about paf Hyunseok (Dec 18)
- Re: question about paf Russ Combs (rucombs) (Dec 18)