[Oisf-users] af_packet and rss queue count

Cooper F. Nelson cnelson at ucsd.edu
Sat Jan 28 19:01:26 UTC 2017


This is very true, however GRO requires multiple packets on the wire in
order to work and many (most?) of the rules using the dsize keyword are
only detecting a single packet anyway.  I just checked and I'm still
getting lots of hits for these rules.

*But* you are of course correct so I'm going to try removing the dsize
keyword and see what happens to our detection and rate of false positives.

-Coop

On 1/27/2017 4:49 AM, Victor Julien wrote:
> Keep in mind that GRO will break Suricata's dsize keyword, at least
> where it's used to match on specific or maximum packet sizes. There are
> 776 rules using dsize in some form in current ETopen, so you may loose
> some real detection.

-- 
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170128/447c1a0a/attachment-0002.sig>


More information about the Oisf-users mailing list