[Snort-devel] Thoughts on threads

Todd Lewis tlewis at ...255...
Mon Apr 30 14:53:25 EDT 2001


On Mon, 30 Apr 2001, Jon Bentley wrote:

> I'm not concerned about packet re-ordering on the network; I'm concerned
> about granting Heisenberg access to my NIDS boxen. (...)
> 
> Just my two cents.  I've spooled off a couple of current situations wherein
> packet ordering was necessary for post-processing.

I think that we may be talking past each other here.  The reason that I
brought the issue up after three weeks of dormancy is that I get the
feeling that you know something that I don't, and I really want to
understand you here.

In your pre-attack-scan-detection example, it would seem to me that,
if an output plugin is fouling the works, you would actually want the
ability to evaluate packets in parallel at the cost of ordering; your
detector, it seems to me, needs to be able to detect out of order attacks,
and this way, you can stop the attack despite the hog plugin.

Can you explain why network reordering doesn't bother you,
or, alternately, why network reordering wouldn't cause just as much
disruption in the detection process as snort-induced reordering would?
Is it just that you consider missing reordered traffic a cost of doing
business and you want to minimize it, or is preserving observed network
order (even though that may not be the original order of transmission)
important for some concrete reason?  I understand the former position,
even though I don't agree with it.  However, if your position is the
latter one, then I am not understanding a very important need on the
part of users, and I would really appreciate your explaining it to me.
This is the clarification that I seek.

--
Todd Lewis
tlewis at ...255...





More information about the Snort-devel mailing list