[Snort-devel] RE: Snort 2.0 HttpFlow configuration (and other syntax)
Kreimendahl, Chad J
Chad.Kreimendahl at ...1167...
Thu Oct 10 14:06:05 EDT 2002
Is the standard for preprocessors going to be to separate the individual
args (and args values) by commas? Just curious cause as I was modifying
the config for our sensors, I noticed that some preprocessors don't use
commas to separate infomration (HttpFlow, http_decode)... While some do
(stream4, portscan2). Was thinking about this from the standpoint of
making loading of the config from the database an easier task than is
currently made by different standards for different config and
From: Daniel Roelker [mailto:droelker at ...402...]
Sent: Thursday, October 10, 2002 3:34 PM
To: Kreimendahl, Chad J; snort-devel at lists.sourceforge.net
Subject: Snort 2.0 HttpFlow configuration
By the way, while people are testing 2.0 out, you should try the HTTP
preprocessor HttpFlow: ports 80 3128 8080 depth 150
ports: this is a list of ports talking HTTP
depth: this tells the preprocessor how much data to inspect in
We will be putting up in-depth papers explaining Sourcefire contributed
technology, like the detection engine and protocol flow analysis. These
should be available on the Sourcefire webpage sometime in the near
On 10/10/02 9:37 AM, "Kreimendahl, Chad J" <Chad.Kreimendahl at ...1167...>
> That helps quite a great deal. I'm going to have to read up more on
> two different multi-pattern matching algorithms... See which one would
> more likely be of value to us... As I'm not that familiar with any...
> A quick test on one of our production systems show it uses slightly
> cpu (15%) with the mwm method, and the same (or sometimes less) with
> ac method, as compared to snort-1.9. Should there be in increase in
> used CPU and memory? Also, should the memory usage when using ac be
> much greater (2x) than mwm? When running with the ac method, I see
> upwards of 200M used, whereas the same config file changed to mwm uses
> only 68M.
> Documentation on the internet has gone greatly over my head in
> understanding the pattern matching algorithms, so is there an english
> way to explain what the benefits/downfalls of each of these? Maybe
> docs on the net somewhere that someone could RTFM me to.
droelker at ...402...
More information about the Snort-devel