Snort mailing list archives
Re: Question about http_inspect
From: "Rahul Burman (rahburma)" <rahburma () cisco com>
Date: Mon, 21 Sep 2015 09:58:35 +0000
It is not really required as the response codes and headers are available in the first response packet itself. You can actually go through the code under HttpInspect module. I believe it is well explained there. [http://www.cisco.com/web/europe/images/email/signature/logo05.jpg] Rahul Burman ENGINEER.SOFTWARE ENGINEERING rahburma () cisco com Phone: +91 80 4365 7902 Cisco Systems Limited SEZ, Embassy Tech Village,Panathur Varthur Hobli, Bangalore East Taluk BANGALORE KARNATAKA 560 037 IN Cisco.com<http://www.cisco.com> [Think before you print.]Think before you print. This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. For corporate legal information go to: http://www.cisco.com/web/about/doing_business/legal/cri/index.html From: Asim Jamshed [mailto:asim.jamshed () gmail com] Sent: Monday, September 21, 2015 3:14 PM To: Rahul Burman (rahburma) Cc: snort-devel () lists sourceforge net Subject: Re: Question about http_inspect Thanks. Can you please elaborate on why it cannot do stateful inspection on server response? --Asim On Monday, September 21, 2015, Rahul Burman (rahburma) <rahburma () cisco com<mailto:rahburma () cisco com>> wrote: HttpInspect module is stateless while inspecting the server responses. There is a provision to do both stateless and stateful traffic inspection. Regards Rahul -----Original Message----- From: Asim Jamshed [mailto:asim.jamshed () gmail com<javascript:;>] Sent: Sunday, September 20, 2015 4:55 PM To: snort-devel () lists sourceforge net<javascript:;> Subject: [Snort-devel] Question about http_inspect Hi, I was going through the Snort manual and it says that the http inspect module is stateless (analyzes flows on a per-packet basis). Is that right? I was wondering why it can use stream5 module and perform stateful management like ftp, telnet and smtp protocols? Thanks, --Asim ------------------------------------------------------------------------------ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net<javascript:;> https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Question about http_inspect Asim Jamshed (Sep 20)
- Re: Question about http_inspect Rahul Burman (rahburma) (Sep 21)
- Re: Question about http_inspect Asim Jamshed (Sep 21)
- Re: Question about http_inspect Rahul Burman (rahburma) (Sep 21)
- Re: Question about http_inspect Asim Jamshed (Sep 21)
- Re: Question about http_inspect Russ (Sep 21)
- Re: Question about http_inspect Asim Jamshed (Sep 21)
- Re: Question about http_inspect Russ (Sep 21)
- Re: Question about http_inspect Asim Jamshed (Sep 21)
- Re: Question about http_inspect Rahul Burman (rahburma) (Sep 21)