[Snort-devel] Trivial question

Reinoud Koornstra sockstat at ...445...
Thu Sep 12 16:19:07 EDT 2013

Ok, thanks.

Does this also hold for snort reading a pcap containing an ftp session?

Date: Thu, 12 Sep 2013 15:50:21 -0400
Subject: Re: [Snort-devel] Trivial question
From: rcombs at ...402...
To: sockstat at ...445...
CC: snort-devel at lists.sourceforge.net

Snort reassembles different protocols differently.  The 17K number is close to the paf_max default of 16K.  PDUs (protocol data units like an HTTP response) larger than paf_max are truncated into paf_max blocks for processing by Snort.  The FTP data channel does not get reassembled in that fashion.  Simplifying things, in inline IPS mode, it will reassemble every 2 data segments.  Otherwise, every 2 or more acknowledged data segments, upon acknowledgement.  Typically this will be around 2*1460 = 2920 bytes.

So, based on the limited info in your question, the answer is yes, that is correct.

On Wed, Sep 11, 2013 at 3:17 PM, Reinoud Koornstra <sockstat at ...445...> wrote:

Dear Everyone,
When i run http traffic through snort, while snort is in inline mode and monitoring the sizeo of the packets, I see that every 4 of more full mtu packets a packet of 17k bytes is being processed by snort. I am seeing this with most kind of traffic, but not with ftp.
Is that correct or not?

How ServiceNow helps IT people transform IT departments:
1. Consolidate legacy IT systems to a single system of record for IT
2. Standardize and globalize service processes across IT
3. Implement zero-touch automation to replace manual, redundant tasks
Snort-devel mailing list
Snort-devel at lists.sourceforge.net

Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130912/f9eb8cd8/attachment.html>

More information about the Snort-devel mailing list