Snort mailing list archives
Re: Preprocessor :: HTTP Inspect
From: "Tom Peters (thopeter)" <thopeter () cisco com>
Date: Wed, 9 Apr 2014 17:42:01 +0000
Chinmay, I remember reading that paragraph in the manual when I started working here. It is a legacy and you would do well just to forget it. Once upon a time it was true. HTTP Inspect included "stateless" and "stateful" processing, except that the latter was actually nothing but lengthy hooks for an unimplemented feature. Hence the paragraph. Snort went a different direction a long time ago. Protocol Aware Flushing (PAF) was developed and HTTP was integrated with streams and TCP processing. Modern HTTP Inspect has many session-aware features. By strange coincidence a colleague of mine removed the old "stateful" hooks from the source code last week. They will be gone in a future open source release. Tom From: Chinmay Mahata <chinmay_mahata () rediffmail com<mailto:chinmay_mahata () rediffmail com>> Date: Wednesday, April 9, 2014 5:03 AM To: "snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>" <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Subject: [Snort-users] Preprocessor :: HTTP Inspect Hi All, I have a query regarding preprocessor http_inspect. In snort doc directory the file README.http_inspect says: "The current version of HTTP Inspect only handles stateless processing. This means that HTTP Inspect looks for HTTP fields on a packet-by-packet basis, and will be fooled if packets are not reassembled. This works fine when there is another module handling the reassembly, but there are limitations in analyzing the protocol. Future versions will have a stateful processing mode which will hook into various reassembly modules." We are getting this overview for all snort releases from 2.9.0.5 to 2.9.6.0. So, in which future version of snort we can expect to get "stateful processing" after reassembling (and uncompressing) http packets in http_inspect preprocessor or is it already there ? Thanks in advance. Best regards, --Chinmay
------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Preprocessor :: HTTP Inspect Chinmay Mahata (Apr 09)
- Re: Preprocessor :: HTTP Inspect Tom Peters (thopeter) (Apr 09)
- Re: Preprocessor :: HTTP Inspect Joel Esler (jesler) (Apr 09)
- Re: Preprocessor :: HTTP Inspect Tom Peters (thopeter) (Apr 09)