Thu Nov 23 16:36:19 EST 2017
likely keep your tree smaller _if_ you have alot of fragments to keep track of.
It won't necessarily result in reduced search times as splay tree's try and keep
the most recently accessed node at the top of the tree and if you fail to get
numerous fragments you won't have sped up the search at all. The downside to
changing the timeout to a smaller value is that you incure the added CPU usage
of cleaning up the tree more frequently. I might have interpretted the code
wrong, but last I looked at it that was my impression. You also reduce the
chance that a (intentionally?) delayed" fragment won't get reassembled within
snort and won't get alerted on.
More information about the Snort-users