Snort mailing list archives
Re: server_flow_depth
From: jorbru30 () comcast net
Date: Wed, 14 Nov 2012 00:56:07 +0000 (UTC)
Hi Again, I would like to ask the question in a different way in case I was not clear before. If the detection engines has to inspect more than one packets from every HTTP flow (because server_flow_depth is set higher size), does the engine run pattern matching on each packet separately or does it assemble all packets from a flow and run pattern matching on the assembled content. I appreciate any clarification and pointers to refer. Thanks! Jordan. ----- Original Message ----- From: jorbru30 () comcast net To: snort-devel () lists sourceforge net Sent: Sunday, November 11, 2012 12:38:17 PM Subject: [Snort-devel] server_flow_depth Hi Everyone, I understand that HTTP "server_flow_depth" specifies the maximum amount of payload snort detection engine inspects per flow. Thus more packets are inspected per flow if this value is higher. I want to understand how "server_flow_depth" affects the detection engine pattern matching process? For instance if server_flow_depth is set to 5KB, does snort rebuild packets until it captures 5KB, and initiates pattern matching on the entire payload that is assembled from the flow packets? Or does it just inspect each packet separately and doesn't assemble packets at all? I appreciate if anyone can explain the pattern matching process with respect HTTP "server_flow_depth" in more detail. Thanks! Jordan. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_nov _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- server_flow_depth jorbru30 (Nov 11)
- Re: server_flow_depth jorbru30 (Nov 13)
- Re: server_flow_depth 薛永刚 (Nov 13)
- Re: server_flow_depth jorbru30 (Nov 13)