How can Suricata function prior to scrub?

Started by barold, February 09, 2024, 04:39:13 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 09, 2024, 04:39:13 PM
Hello everyone.

I've encountered the fabulous packet flow diagram at https://forum.opnsense.org/index.php?topic=36326.0. (It's so good that it gives me goosebumps.) One thing in the diagram confuses me quite a bit. Whenever that happens I usually learn something new. :)

The diagram depicts that Suricata processes ingress traffic before pf scrubs. How does Suricata manage that before potentially fragmented packets are reassembled?
February 17, 2024, 01:22:05 AM #1
The placement of Suricata before pf scrubbing in the packet flow diagram may seem counterintuitive at first, especially considering potential fragmentation issues. However, Suricata's ability to process traffic before pf scrubbing is based on its integration with libpcap and its packet processing capabilities.
Print
Go Up Pages1
User actions