Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: http_inspect preprocessor and Snort sensor performance

From: "David J. Bianco" <david () vorant com>
Date: Thu, 22 May 2008 08:28:53 -0400
Humes, David G. wrote:


So, from this one might conclude that disabling
http_inspect by commenting out all of it's configuration lines in
snort.conf does not really disable it, but only invokes some default,
suboptimal configuration.  Or, maybe the extra work done by http_inspect
is offset by a diminished workload in the rules engine.  Hopefully
someone who knows a lot more about snort than me can explain this
behavior.  We are running snort 2.8.0.2.  But, I have seen this behavior
as far back as 2.4. 
 


Your second idea is the correct one.  Http_inspect is able to drastically
cut down the number of packets that need to matched against the rules,
which really speeds up snort.  It also makes some of the rules much more
efficient than they would otherwise be (via things like the "uricontent"
keyword).

And this doesn't even address the normalization and anti-evasion features
it provides.  All in all, you disable http_inspect at your very great
peril. 8-)

        David


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: