[Oisf-users] getting started with suri -- tuning
Cooper F. Nelson
cnelson at ucsd.edu
Thu Aug 1 20:07:03 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
See: http://manual.snort.org/node7.html
Suricata has a similar issue, LRO/GRO breaks the stream5 reassembly. It
looks like suri can only 'see' ~4k into a stream with offloading
enabled. So yes, if you can pad your exploit with that much data suri
won't see it with those features enabled.
Note that this is also an issue with tcp stream depth and timeouts.
- -Coop
On 8/1/2013 11:34 AM, Theodore Elhourani wrote:
> Why is it important to have offloading off and Suricata seeing raw (MTU
> sized) packets ?
> Are there specific types of exploits that may not be detected if we allow
> larger sized packets?
>
> Can someone help clarify this point ?
>
> Thanks,
> Ted
>
>
- --
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJR+r/nAAoJEKIFRYQsa8FW5K4H/1EGws8axf7I8nBZgykxIfJV
mwnABYYo6r1YTAKEDgSyUjqbClE9r2BcDi1RA9xzmIEVeX+v1/Vcerk6YkNiRw/B
i3jHHdARuncb4WOvPl0JbUuFmacd2/+euMq+91FQlK7q/wfR20fkNuzKRmzvhnTC
AZnb4b4rBvvtsjs7CFWy8RubVjaVamPojf88x1ORYdnDrKBMcjj/lfgnCEkzgKFQ
WLQ/JhkS8YpQ4KTF8uozOBGwCt466DO+wMnqAIykiC/kQctmCuZMfdkiEQzxR6Id
6duS/mpTaFOQWlVNMHRN1k1Yd3UzQ9rzaqZ3OMo7KvT0A3ekSLCkaEE8ZM87O5I=
=oZX+
-----END PGP SIGNATURE-----
More information about the Oisf-users
mailing list