[Snort-devel] Trivial question

Russ Combs rcombs at ...402...
Thu Sep 12 15:50:21 EDT 2013


Snort reassembles different protocols differently.  The 17K number is close
to the paf_max default of 16K.  PDUs (protocol data units like an HTTP
response) larger than paf_max are truncated into paf_max blocks for
processing by Snort.  The FTP data channel does not get reassembled in that
fashion.  Simplifying things, in inline IPS mode, it will reassemble every
2 data segments.  Otherwise, every 2 or more acknowledged data segments,
upon acknowledgement.  Typically this will be around 2*1460 = 2920 bytes.

So, based on the limited info in your question, the answer is yes, that is
correct.


On Wed, Sep 11, 2013 at 3:17 PM, Reinoud Koornstra <sockstat at ...445...>wrote:

> Dear Everyone,
>
> When i run http traffic through snort, while snort is in inline mode and
> monitoring the sizeo of the packets, I see that every 4 of more full mtu
> packets a packet of 17k bytes is being processed by snort. I am seeing this
> with most kind of traffic, but not with ftp.
> Is that correct or not?
> Thanks,
>
> Reinoud.
>
>
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. Consolidate legacy IT systems to a single system of record for IT
> 2. Standardize and globalize service processes across IT
> 3. Implement zero-touch automation to replace manual, redundant tasks
> http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130912/ff203e06/attachment.html>


More information about the Snort-devel mailing list