Snort mailing list archives
Re: http_inspect preprocessor and Snort sensor performance
From: "David J. Bianco" <david () vorant com>
Date: Thu, 22 May 2008 08:28:53 -0400
Humes, David G. wrote:
So, from this one might conclude that disabling http_inspect by commenting out all of it's configuration lines in snort.conf does not really disable it, but only invokes some default, suboptimal configuration. Or, maybe the extra work done by http_inspect is offset by a diminished workload in the rules engine. Hopefully someone who knows a lot more about snort than me can explain this behavior. We are running snort 2.8.0.2. But, I have seen this behavior as far back as 2.4.
Your second idea is the correct one. Http_inspect is able to drastically cut down the number of packets that need to matched against the rules, which really speeds up snort. It also makes some of the rules much more efficient than they would otherwise be (via things like the "uricontent" keyword). And this doesn't even address the normalization and anti-evasion features it provides. All in all, you disable http_inspect at your very great peril. 8-) David ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- http_inspect preprocessor and Snort sensor performance Humes, David G. (May 21)
- Re: http_inspect preprocessor and Snort sensor performance Todd Wease (May 21)
- Re: http_inspect preprocessor and Snort sensor performance Jason (May 21)
- Re: http_inspect preprocessor and Snort sensor performance David J. Bianco (May 22)