Re: Http_inspect

[Joel Esler <joel.esler () sourcefire com>]

It's for both the IDS and the IPS.  HTTP is a strange beast, Snort,  
with it's http normalizer processor, will "normalize" traffic.  Make  
it human readable.

If URL's are encoded in Unicode, or example, Snort will translate  
them to ascii before passing that session over to the rules engine.   
That way, Not only does the Engine not have to work as hard, but the  
rules are easier to write as well.


Joel Esler
SFCE, SnortCP, GCIA
Security Consultant
Sourcefire, Inc
AIM: eslerjoel
joel.esler () sourcefire com




On Oct 20, 2005, at 4:41 PM, Cody Holland wrote:

> Is the http_inpect preprocessor for an inline sensor?  The only  
> reason I
> ask is that it talks about "normalizing http packets".
>
> Thanks,
> Cody
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads,  
> discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users