[Snort-users] question about paf

Hyunseok hyunseok at ...6185...
Thu Dec 18 10:09:35 EST 2014

I have a question about protocol aware flushing (paf).
As I understand, paf allows snort to more intelligently deal with flushing.

However, there is paf_max which defines maximum pdu snort can handle.

config paf_max: <max-pdu>
where <max-pdu> is between zero (off) and 63780.

So does this mean that if a given attack somehow spans across a large data
stream of more than 63K size, snort will fail to detect it because snort
will eventually flush buffer in the middle of the stream?  If so, is that

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141218/0329c2e9/attachment.html>

More information about the Snort-users mailing list