[Snort-devel] Snort.org Blog: Snort 2.9.1 beta coming soon!

Martin Holste mcholste at ...2499...
Mon Jun 13 15:03:01 EDT 2011


> No - that is still TBD.  Are you seeing much traffic like this or just
> concerned about attacks?

Both.  We see 206's sent with extreme regularity both in legitimate
and illegitimate applications.

> No - logging is in the main thread.

Ok, I get why stream reassembly is theoretically more efficient in a
single thread because of CPU caching, etc., but I don't understand why
packets still have to wait in line for a u2 entry to be written.  It
seems like tossing output from the main thread into an async output
thread would be pretty easy because you don't have to keep state and
everything is one-way.  For alerting, the volume is not an issue, but
as more analysts use packet tagging and now HTTP logging, the strain
on that single main thread is going to cause packet drops for some if
they're not extremely careful.  If I'm missing something, I'd be
grateful for clarification.

>>
>>
>> ------------------------------------------------------------------------------
>> EditLive Enterprise is the world's most technically advanced content
>> authoring tool. Experience the power of Track Changes, Inline Image
>> Editing and ensure content is compliant with Accessibility Checking.
>> http://p.sf.net/sfu/ephox-dev2dev
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>




More information about the Snort-devel mailing list