Snort mailing list archives
question about paf
From: Hyunseok <hyunseok () ieee org>
Date: Thu, 18 Dec 2014 10:09:35 -0500
Hi, I have a question about protocol aware flushing (paf). As I understand, paf allows snort to more intelligently deal with flushing. However, there is paf_max which defines maximum pdu snort can handle. config paf_max: <max-pdu> where <max-pdu> is between zero (off) and 63780. So does this mean that if a given attack somehow spans across a large data stream of more than 63K size, snort will fail to detect it because snort will eventually flush buffer in the middle of the stream? If so, is that safe? -HS
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- question about paf Hyunseok (Dec 18)
- Re: question about paf Russ Combs (rucombs) (Dec 18)
- Re: question about paf Hyunseok (Dec 18)
- Re: question about paf Russ Combs (rucombs) (Dec 18)
- Re: question about paf Hyunseok (Dec 18)
- Re: question about paf Russ Combs (rucombs) (Dec 18)