[Snort-devel] RE: Snort 2.0 HttpFlow configuration (and other syntax)

Kreimendahl, Chad J Chad.Kreimendahl at ...1167...
Thu Oct 10 14:06:05 EDT 2002


Is the standard for preprocessors going to be to separate the individual
args (and args values) by commas?  Just curious cause as I was modifying
the config for our sensors, I noticed that some preprocessors don't use
commas to separate infomration (HttpFlow, http_decode)... While some do
(stream4, portscan2).  Was thinking about this from the standpoint of
making loading of the config from the database an easier task than is
currently made by different standards for different config and
preprocessor options.

-CJK

-----Original Message-----
From: Daniel Roelker [mailto:droelker at ...402...] 
Sent: Thursday, October 10, 2002 3:34 PM
To: Kreimendahl, Chad J; snort-devel at lists.sourceforge.net
Subject: Snort 2.0 HttpFlow configuration


By the way, while people are testing 2.0 out, you should try the HTTP
flow
analyzer:

preprocessor HttpFlow: ports 80 3128 8080 depth 150

ports: this is a list of ports talking HTTP
depth: this tells the preprocessor how much data to inspect in
server-side
responses 

We will be putting up in-depth papers explaining Sourcefire contributed
technology, like the detection engine and protocol flow analysis.  These
should be available on the Sourcefire webpage sometime in the near
future.

Dan

On 10/10/02 9:37 AM, "Kreimendahl, Chad J" <Chad.Kreimendahl at ...1167...>
wrote:

> 
> That helps quite a great deal.  I'm going to have to read up more on
the
> two different multi-pattern matching algorithms... See which one would
> more likely be of value to us... As I'm not that familiar with any...
> 
> A quick test on one of our production systems show it uses slightly
less
> cpu (15%) with the mwm method, and the same (or sometimes less) with
the
> ac method, as compared to snort-1.9.  Should there be in increase in
> used CPU and memory?  Also, should the memory usage when using ac be
so
> much greater (2x) than mwm?  When running with the ac method, I see
> upwards of 200M used, whereas the same config file changed to mwm uses
> only 68M.
> 
> Documentation on the internet has gone greatly over my head in
> understanding the pattern matching algorithms, so is there an english
> way to explain what the benefits/downfalls of each of these?  Maybe
some
> docs on the net somewhere that someone could RTFM me to.
> 
> -woot
> --cjk

-- 
Daniel Roelker
Software Engineer
droelker at ...402...

www.sourcefire.com
www.snort.org







More information about the Snort-devel mailing list