[Snort-devel] Thoughts on threads

Jon Bentley jon at ...370...
Mon Apr 30 08:13:01 EDT 2001


I'm thinking of pre-attack scans.  Not that we do things like this here, but
I can
see that some sites may attempt to implement post-processing logic to look
for
such scans and react accordingly.  Given that the world is full of kiddies,
the
scans are usually a few milliseconds prior to the launch, so reordering even
a
tad causes me concern.

I'm just bringing this up because it occurs to me; it seems I'm in the
minority, so
it's probably something to forget about.

-jb

----- Original Message -----
From: "Todd Lewis" <tlewis at ...255...>
To: "Jon Bentley" <jon at ...370...>
Cc: <snort-devel at lists.sourceforge.net>
Sent: Sunday, April 29, 2001 10:17 PM
Subject: Re: [Snort-devel] Thoughts on threads


> On Fri, 6 Apr 2001, Jon Bentley wrote:
>
> > Threads (nee parallelization) would cause me some concern, as it would
> > potentially remove the serial order of received packets.  Perhaps that
is
> > a concern of only myself, though.  (Packet sequence numbers, with a
post-
> > process reordering?)
>
> Jon, is your objection to traffic reordering in general or reordering
> caused by snort in particular?  I.e., traffic will often be reordered
> as it travels across the network anyway, so what's the trouble with
> snort reordering it as part of its processing?
>
> --
> Todd Lewis
> tlewis at ...255...
>





More information about the Snort-devel mailing list