[Snort-users] question about paf

Hyunseok hyunseok at ...6185...
Thu Dec 18 10:09:35 EST 2014


Hi,
I have a question about protocol aware flushing (paf).
As I understand, paf allows snort to more intelligently deal with flushing.

However, there is paf_max which defines maximum pdu snort can handle.

config paf_max: <max-pdu>
where <max-pdu> is between zero (off) and 63780.

So does this mean that if a given attack somehow spans across a large data
stream of more than 63K size, snort will fail to detect it because snort
will eventually flush buffer in the middle of the stream?  If so, is that
safe?

-HS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141218/0329c2e9/attachment.html>


More information about the Snort-users mailing list