[Snort-users] Http_inspect

Joel Esler joel.esler at ...1935...
Thu Oct 20 13:49:51 EDT 2005

It's for both the IDS and the IPS.  HTTP is a strange beast, Snort,  
with it's http normalizer processor, will "normalize" traffic.  Make  
it human readable.

If URL's are encoded in Unicode, or example, Snort will translate  
them to ascii before passing that session over to the rules engine.   
That way, Not only does the Engine not have to work as hard, but the  
rules are easier to write as well.

Joel Esler
Security Consultant
Sourcefire, Inc
AIM: eslerjoel
joel.esler at ...1935...

On Oct 20, 2005, at 4:41 PM, Cody Holland wrote:

> Is the http_inpect preprocessor for an inline sensor?  The only  
> reason I
> ask is that it talks about "normalizing http packets".
> Thanks,
> Cody
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads,  
> discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20051020/9b0f59c9/attachment.html>

More information about the Snort-users mailing list