Comments for Inliniac http://www.inliniac.net/blog Everything inline. Fri, 04 Jul 2008 13:09:35 +0000 http://wordpress.org/?v=2.5.1 Comment on Multiple Snort_inline processes with Vuurmuur by Aki Heikkinen http://www.inliniac.net/blog/2007/11/12/multiple-snort_inline-processes-with-vuurmuur.html#comment-11369 Aki Heikkinen Sun, 15 Jun 2008 18:05:37 +0000 http://www.inliniac.net/blog/2007/11/12/multiple-snort_inline-processes-with-vuurmuur.html#comment-11369 Has anyone tried dynamically reassign queques to different snort_inline instances on the fly based on traffic volume per destination port? Currently we just statically balance between different instances running on different processor cores but this setup leaves much to be desired. Has anyone tried dynamically reassign queques to different snort_inline instances on the fly based on traffic volume per destination port? Currently we just statically balance between different instances running on different processor cores but this setup leaves much to be desired.

]]> Comment on Debian should update their Snort package by Thijs http://www.inliniac.net/blog/2007/06/16/debian-should-update-their-snort-package.html#comment-11243 Thijs Fri, 25 Apr 2008 10:58:02 +0000 http://www.inliniac.net/blog/?p=87#comment-11243 Just for the record, some time to develop the rulesets made most of Debian's concerns go away, and Snort 2.7 will be in the next release (lenny / 5.0). Just for the record, some time to develop the rulesets made most of Debian’s concerns go away, and Snort 2.7 will be in the next release (lenny / 5.0).

]]> Comment on TCP Window scaling in Snort_inline by Victor Julien http://www.inliniac.net/blog/2007/06/16/tcp-window-scaling-in-snort_inline.html#comment-11206 Victor Julien Fri, 11 Apr 2008 17:59:47 +0000 http://www.inliniac.net/blog/?p=85#comment-11206 Yes, that is correct. Yes, that is correct.

]]> Comment on TCP Window scaling in Snort_inline by chuzhenlin http://www.inliniac.net/blog/2007/06/16/tcp-window-scaling-in-snort_inline.html#comment-11204 chuzhenlin Fri, 11 Apr 2008 14:36:32 +0000 http://www.inliniac.net/blog/?p=85#comment-11204 Hi Victor: When we normalize the window for a stream, the stream becomes slow because the window size is smaller, but the connection remains. This case is different than the former normalizing the wscale. Is my understanding right? Hi Victor:

When we normalize the window for a stream, the stream becomes slow because the window size is smaller, but the connection remains. This case is different than the former normalizing the wscale.

Is my understanding right?

]]> Comment on TCP Window scaling in Snort_inline by Victor Julien http://www.inliniac.net/blog/2007/06/16/tcp-window-scaling-in-snort_inline.html#comment-11196 Victor Julien Sun, 06 Apr 2008 19:15:24 +0000 http://www.inliniac.net/blog/?p=85#comment-11196 The connection remains, but no data is sent over it anymore. In the post I linked to I described why that makes sense and why the window scaling normalization is broken and should not be used. The concept is just flawed. The connection remains, but no data is sent over it anymore. In the post I linked to I described why that makes sense and why the window scaling normalization is broken and should not be used. The concept is just flawed.

]]> Comment on TCP Window scaling in Snort_inline by chuzhenlin http://www.inliniac.net/blog/2007/06/16/tcp-window-scaling-in-snort_inline.html#comment-11194 chuzhenlin Sun, 06 Apr 2008 14:54:06 +0000 http://www.inliniac.net/blog/?p=85#comment-11194 Lower the wscales of the client and server just make the stream slow, but the connection still remains. Right? Does the window size tell another host how much space the sender has to receive the packets? Sorry for my poor commen sense. Lower the wscales of the client and server just make the stream slow, but the connection still remains. Right?
Does the window size tell another host how much space the sender has to receive the packets?
Sorry for my poor commen sense.

]]> Comment on TCP Window scaling in Snort_inline by Victor Julien http://www.inliniac.net/blog/2007/06/16/tcp-window-scaling-in-snort_inline.html#comment-11190 Victor Julien Sun, 06 Apr 2008 10:34:49 +0000 http://www.inliniac.net/blog/?p=85#comment-11190 No, please see <a href="http://www.inliniac.net/blog/2007/09/04/window-scaling-normalization-in-snort_inline-broken-by-design.html" rel="nofollow">this</a> post. The wscale normalization principle is just flawed. No, please see this post. The wscale normalization principle is just flawed.

]]> Comment on TCP Window scaling in Snort_inline by chuzhenlin http://www.inliniac.net/blog/2007/06/16/tcp-window-scaling-in-snort_inline.html#comment-11189 chuzhenlin Sun, 06 Apr 2008 03:54:31 +0000 http://www.inliniac.net/blog/?p=85#comment-11189 Stream4 65 revision nornalizes the wscale of option in tcp header while stream4 69 revision normalizes the window size of tcp header. What if we add an option in the configure file. When the cpu is busy, we just normalize the wscale of syn packets because only syn packets of three handshake have the wscale option work. Then we dont have to modify all packets in a steam. Will it work? Stream4 65 revision nornalizes the wscale of option in tcp header while stream4 69 revision normalizes the window size of tcp header. What if we add an option in the configure file. When the cpu is busy, we just normalize the wscale of syn packets because only syn packets of three handshake have the wscale option work. Then we dont have to modify all packets in a steam.

Will it work?

]]> Comment on TCP Window scaling in Snort_inline by Victor Julien http://www.inliniac.net/blog/2007/06/16/tcp-window-scaling-in-snort_inline.html#comment-11184 Victor Julien Sat, 05 Apr 2008 15:01:39 +0000 http://www.inliniac.net/blog/?p=85#comment-11184 See <a href="http://www.inliniac.net/blog/2007/11/17/new-snort_inline-tcp-window-normalization-code-in-svn.html" rel="nofollow">here</a> and <a href="http://snort-inline.svn.sourceforge.net/viewvc/snort-inline/trunk/src/preprocessors/spp_stream4.c?view=diff&r1=69&r2=65&diff_format=h" rel="nofollow">here</a> for the current implementation. Wrt the speeds, it all depends on the hardware you use. It's hard to make general statements about that... See here and here for the current implementation.

Wrt the speeds, it all depends on the hardware you use. It’s hard to make general statements about that…

]]> Comment on TCP Window scaling in Snort_inline by chuzhenlin http://www.inliniac.net/blog/2007/06/16/tcp-window-scaling-in-snort_inline.html#comment-11182 chuzhenlin Sat, 05 Apr 2008 07:47:06 +0000 http://www.inliniac.net/blog/?p=85#comment-11182 What high speed links will snort_inline perform badly when it deal with? 10M? 20M? What high speed links will snort_inline perform badly when it deal with? 10M? 20M?

]]>