[Snort-users] question about paf
hyunseok at ...6185...
Thu Dec 18 10:09:35 EST 2014
I have a question about protocol aware flushing (paf).
As I understand, paf allows snort to more intelligently deal with flushing.
However, there is paf_max which defines maximum pdu snort can handle.
config paf_max: <max-pdu>
where <max-pdu> is between zero (off) and 63780.
So does this mean that if a given attack somehow spans across a large data
stream of more than 63K size, snort will fail to detect it because snort
will eventually flush buffer in the middle of the stream? If so, is that
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users