[Snort-users] http_inspect preprocessor and Snort sensor performance

David J. Bianco david at ...13799...
Thu May 22 08:28:53 EDT 2008


Humes, David G. wrote:

> So, from this one might conclude that disabling
> http_inspect by commenting out all of it's configuration lines in
> snort.conf does not really disable it, but only invokes some default,
> suboptimal configuration.  Or, maybe the extra work done by http_inspect
> is offset by a diminished workload in the rules engine.  Hopefully
> someone who knows a lot more about snort than me can explain this
> behavior.  We are running snort 2.8.0.2.  But, I have seen this behavior
> as far back as 2.4. 
>  

Your second idea is the correct one.  Http_inspect is able to drastically
cut down the number of packets that need to matched against the rules,
which really speeds up snort.  It also makes some of the rules much more
efficient than they would otherwise be (via things like the "uricontent"
keyword).

And this doesn't even address the normalization and anti-evasion features
it provides.  All in all, you disable http_inspect at your very great
peril. 8-)

	David





More information about the Snort-users mailing list