Re: server_flow_depth

[薛永刚 <xueyonggang () sapling com cn>]

IMHO, the engine matches each packet separately, until server_flow_depth is reached. no more matching since then. 


From: jorbru30
Date: 2012-11-14 08:56
To: snort-devel
Subject: Re: [Snort-devel] server_flow_depth
Hi Again,

I would like to ask the question in a different way in case I was not clear before.

If the detection engines has to inspect more than one packets from every HTTP flow (because server_flow_depth is set 
higher size), does the engine run pattern matching on each packet separately or does it assemble all packets from a 
flow and run pattern matching on the assembled content.

I appreciate any clarification and pointers to refer.

Thanks!

Jordan. 



From: jorbru30 () comcast net
To: snort-devel () lists sourceforge net
Sent: Sunday, November 11, 2012 12:38:17 PM
Subject: [Snort-devel] server_flow_depth


Hi Everyone,

I understand that HTTP "server_flow_depth" specifies the maximum amount of payload snort detection engine inspects per 
flow. Thus more packets are inspected per flow if this value is higher. 

I want to understand how "server_flow_depth" affects the detection engine pattern matching process? For instance if 
server_flow_depth is set to 5KB, does snort rebuild packets until it captures 5KB, and initiates pattern matching on 
the entire payload that is assembled from the flow packets? Or does it just inspect each packet separately and doesn't 
assemble packets at all? 

I appreciate if anyone can explain the pattern matching process with respect HTTP  "server_flow_depth" in more detail.

Thanks!

Jordan.


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_nov
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!