[Snort-users] Taking out the traffic on ports 22 and 443 suggestive?

Brian bmc at ...950...
Thu Apr 24 10:36:14 EDT 2003

On Thu, Apr 24, 2003 at 12:20:22PM -0400, Brian wrote:
> If you are really concerned, you can [ab]use httpflow to ignore
> sessions after a specific number of bytes.  In the following example, 
> snort will start ignoring packets in sessions after 1000 bytes on port
> 22 and 443.
>    preprocessor httpflow: depth 1000 ports 22 443

Yeah, so that won't actually work.  I thought httpflow was session
based.  It's not.  its per packet based.

Sorry about that.


More information about the Snort-users mailing list