Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: server_flow_depth

From: jorbru30 () comcast net
Date: Wed, 14 Nov 2012 00:56:07 +0000 (UTC)
Hi Again, 

I would like to ask the question in a different way in case I was not clear before. 

If the detection engines has to inspect more than one packets from every HTTP flow (because server_flow_depth is set 
higher size), does the engine run pattern matching on each packet separately or does it assemble all packets from a 
flow and run pattern matching on the assembled content. 

I appreciate any clarification and pointers to refer. 

Thanks! 

Jordan. 

----- Original Message -----
From: jorbru30 () comcast net 
To: snort-devel () lists sourceforge net 
Sent: Sunday, November 11, 2012 12:38:17 PM 
Subject: [Snort-devel] server_flow_depth 


Hi Everyone, 

I understand that HTTP "server_flow_depth" specifies the maximum amount of payload snort detection engine inspects per 
flow. Thus more packets are inspected per flow if this value is higher. 

I want to understand how "server_flow_depth" affects the detection engine pattern matching process? For instance if 
server_flow_depth is set to 5KB, does snort rebuild packets until it captures 5KB, and initiates pattern matching on 
the entire payload that is assembled from the flow packets? Or does it just inspect each packet separately and doesn't 
assemble packets at all? 

I appreciate if anyone can explain the pattern matching process with respect HTTP "server_flow_depth" in more detail. 

Thanks! 

Jordan. 

------------------------------------------------------------------------------ 
Everyone hates slow websites. So do we. 
Make your web apps faster with AppDynamics 
Download AppDynamics Lite for free today: 
http://p.sf.net/sfu/appdyn_d2d_nov 
_______________________________________________ 
Snort-devel mailing list 
Snort-devel () lists sourceforge net 
https://lists.sourceforge.net/lists/listinfo/snort-devel 
Archive: 
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel 

Please visit http://blog.snort.org for the latest news about Snort! 
------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: