[Snort-devel] Snort 2.0 HttpFlow configuration

Daniel Roelker droelker at ...402...
Thu Oct 10 10:37:06 EDT 2002


By the way, while people are testing 2.0 out, you should try the HTTP flow
analyzer:

preprocessor HttpFlow: ports 80 3128 8080 depth 150

ports: this is a list of ports talking HTTP
depth: this tells the preprocessor how much data to inspect in server-side
responses 

We will be putting up in-depth papers explaining Sourcefire contributed
technology, like the detection engine and protocol flow analysis.  These
should be available on the Sourcefire webpage sometime in the near future.

Dan

On 10/10/02 9:37 AM, "Kreimendahl, Chad J" <Chad.Kreimendahl at ...1167...> wrote:

> 
> That helps quite a great deal.  I'm going to have to read up more on the
> two different multi-pattern matching algorithms... See which one would
> more likely be of value to us... As I'm not that familiar with any...
> 
> A quick test on one of our production systems show it uses slightly less
> cpu (15%) with the mwm method, and the same (or sometimes less) with the
> ac method, as compared to snort-1.9.  Should there be in increase in
> used CPU and memory?  Also, should the memory usage when using ac be so
> much greater (2x) than mwm?  When running with the ac method, I see
> upwards of 200M used, whereas the same config file changed to mwm uses
> only 68M.
> 
> Documentation on the internet has gone greatly over my head in
> understanding the pattern matching algorithms, so is there an english
> way to explain what the benefits/downfalls of each of these?  Maybe some
> docs on the net somewhere that someone could RTFM me to.
> 
> -woot
> --cjk

-- 
Daniel Roelker
Software Engineer
droelker at ...402...

www.sourcefire.com
www.snort.org







More information about the Snort-devel mailing list