Snort mailing list archives

Re: Problem with http_inspect and Basic Authentication rule

From: Russ Combs <rcombs () sourcefire com>
Date: Tue, 5 Jul 2011 12:26:24 -0400

On Mon, Jul 4, 2011 at 11:43 AM, andreas <andi () geekosphere org> wrote:

On 07/04/2011 04:37 PM, Joel Esler wrote:

Try 2.9.1 beta.


I will,
but i also found out that setting client_flow_depth to 1460 (or at least
over the default 300 value) results in the alert.
Is this default value with 300 set for better performance? The problem
with a low value is the issue i mentioned. The HTTP Request may be a
little bit longer and snort doesn't log the request.
But it may be that this is the intention for the default value to
increase performance and to accept some rules to fail.


Yes - it is there to help tune performance and should be adjusted to meet
your needs.


I will report if i can see any differences with the beta.

thanks so far

Andi++



------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please see http://www.snort.org/docs for documentation

Current thread:

Problem with http_inspect and Basic Authentication rule andreas (Jul 04)
- Re: Problem with http_inspect and Basic Authentication rule Joel Esler (Jul 04)
- Re: Problem with http_inspect and Basic Authentication rule andreas (Jul 04)
  - Re: Problem with http_inspect and Basic Authentication rule Russ Combs (Jul 05)