Snort mailing list archives

Previous By Date Next
Previous By Thread Next

server_flow_depth

From: jorbru30 () comcast net
Date: Sun, 11 Nov 2012 20:38:17 +0000 (UTC)
Hi Everyone, 

I understand that HTTP "server_flow_depth" specifies the maximum amount of payload snort detection engine inspects per 
flow. Thus more packets are inspected per flow if this value is higher. 

I want to understand how "server_flow_depth" affects the detection engine pattern matching process? For instance if 
server_flow_depth is set to 5KB, does snort rebuild packets until it captures 5KB, and initiates pattern matching on 
the entire payload that is assembled from the flow packets? Or does it just inspect each packet separately and doesn't 
assemble packets at all? 

I appreciate if anyone can explain the pattern matching process with respect HTTP "server_flow_depth" in more detail. 

Thanks! 

Jordan. 

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_nov
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: