[Snort-users] Problem with http_inspect and Basic Authentication rule

Russ Combs rcombs at ...1935...
Tue Jul 5 12:26:24 EDT 2011


On Mon, Jul 4, 2011 at 11:43 AM, andreas <andi at ...15330...> wrote:

> On 07/04/2011 04:37 PM, Joel Esler wrote:
> > Try 2.9.1 beta.
>
> I will,
> but i also found out that setting client_flow_depth to 1460 (or at least
> over the default 300 value) results in the alert.
> Is this default value with 300 set for better performance? The problem
> with a low value is the issue i mentioned. The HTTP Request may be a
> little bit longer and snort doesn't log the request.
> But it may be that this is the intention for the default value to
> increase performance and to accept some rules to fail.
>

Yes - it is there to help tune performance and should be adjusted to meet
your needs.

>
> I will report if i can see any differences with the beta.
>
> thanks so far
>
> Andi++
>
>
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please see http://www.snort.org/docs for documentation
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110705/90e47c66/attachment.html>


More information about the Snort-users mailing list