Snort mailing list archives
Re: Problem with http_inspect and Basic Authentication rule
From: Russ Combs <rcombs () sourcefire com>
Date: Tue, 5 Jul 2011 12:26:24 -0400
On Mon, Jul 4, 2011 at 11:43 AM, andreas <andi () geekosphere org> wrote:
On 07/04/2011 04:37 PM, Joel Esler wrote:Try 2.9.1 beta.I will, but i also found out that setting client_flow_depth to 1460 (or at least over the default 300 value) results in the alert. Is this default value with 300 set for better performance? The problem with a low value is the issue i mentioned. The HTTP Request may be a little bit longer and snort doesn't log the request. But it may be that this is the intention for the default value to increase performance and to accept some rules to fail.
Yes - it is there to help tune performance and should be adjusted to meet your needs.
I will report if i can see any differences with the beta. thanks so far Andi++ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please see http://www.snort.org/docs for documentation
Current thread:
- Problem with http_inspect and Basic Authentication rule andreas (Jul 04)
- Re: Problem with http_inspect and Basic Authentication rule Joel Esler (Jul 04)
- Re: Problem with http_inspect and Basic Authentication rule andreas (Jul 04)
- Re: Problem with http_inspect and Basic Authentication rule Russ Combs (Jul 05)