[Snort-users] question about paf

Russ Combs (rucombs) rucombs at ...589...
Thu Dec 18 11:35:21 EST 2014

From: Hyunseok [hyunseok at ...6185...]
Sent: Thursday, December 18, 2014 10:09 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] question about paf

I have a question about protocol aware flushing (paf).
As I understand, paf allows snort to more intelligently deal with flushing.

However, there is paf_max which defines maximum pdu snort can handle.

config paf_max: <max-pdu>
where <max-pdu> is between zero (off) and 63780.

So does this mean that if a given attack somehow spans across a large data stream of more than 63K size, snort will fail to detect it because snort will eventually flush buffer in the middle of the stream?  If so, is that safe?

* It certainly could cause detection to fail.  Snort, like all software, has pragmatic constraints like this because it has to stop buffering and start detecting at some point.  There are other strategies, like running bytes through detection multiple times, but that degrades performance significantly.  Snort instead attempts to reassemble PDUs so that detection examines what the receiving application processes.

* There are ways to deal with the limits though.  If a PDU must be split, Snort shifts the split point by a random amount to make it less predictable.  Also, the issue you bring up could be handled by setting a flow bit on an earlier PDU or PDU part and checking that when detecting a later PDU or PDU part.  Also, preprocessors check for any conditions that must be detected before the PDU is assembled.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141218/4c810d1c/attachment.html>

More information about the Snort-users mailing list