[Snort-users] flow_depth

Bamm Visscher bamm.visscher at ...11827...
Sat Dec 31 08:06:03 EST 2005


processor http_ prinspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500 flow_depth 0

Be aware that setting flow_depth to 0 can have a serious performance
impact on your sensor.

Bammkkkk

On 12/30/05, Ron Jenkins <rjenkins at ...12829...> wrote:
>
>
>
> What would be the new line for flow_depth 0
>
>
>
>eprocessor http_ prinspect_server: server default \
>
>     profile all ports { 80 8080 8180 } oversize_dir_length 500
>
>
>
> #
>
> #  Example unique server configuration
>
> #
>
> #preprocessor http_inspect_server: server 1.1.1.1 \
>
> #    ports { 80 3128 8080 } \
>
> #    flow_depth 0 \
>
> #    ascii no \
>
> #    double_decode yes \
>
> #    non_rfc_char { 0x00 } \
>
> #    chunk_length 500000 \
>
> #    non_strict \
>
> #    oversize_dir_length 300 \
>
> #    no_alerts
>
>
>
>
>
> Ron Jenkins (SnortCP, MCNE, CNE6, MCP, CCNA, CCEA)
>  Senior Architect
>  Data Integrity, LLC
>  "We Integrate People with Solutions"
>  1724 Dallas Drive
>  Suite 11
>  Baton Rouge, La 70806
>  Office. 225.927.8030
>  Fax. 225.927.8033
>  Cell225.931.1632
>
> Email. rjenkins at ...12829...
>  Web. http://www.dibr.net
>
> (Aanval Reseller and Technology Partner)
>
> http://www.aanval.com/tour/dibr
>
>


--
sguil - The Analyst Console for NSM
http://sguil.sf.net




More information about the Snort-users mailing list