[Snort-users] http_inspects post_depth

Nigel Houghton nhoughton at ...1935...
Fri Jun 3 14:10:56 EDT 2011

On Fri, 03 Jun 2011 17:43:29 +0000, Eoin Miller wrote:
> Kind of wondering about this from the manual:
> ---SNIP---
> 11. post_depth <integer>
> This specifies the amount of data to inspect in a client post message. 
> The value can be set from -1 to 65495. The default value is -1. A value 
> of -1 causes Snort to ignore all the data in the post message. 
> Inversely, a value of 0 causes Snort to inspect all the client post 
> message. This increases the performance by inspecting only specified 
> bytes in the post message.
> ---SNIP---
> I'm trying to wrap my head around the wording of this. Does this 
> effectively mean 0 = 65495? Or does setting the value to 0 cause 
> inspection of all of it beyond the 65495 buffer range?

Yes, that's certainly a little unclear.

The last sentence should probably read something like this: "Setting a 
non-zero value for this option increases performance by inspecting only 
that number of bytes in the post data."

Of course, setting it to -1 would also increase performance since the 
post data would be ignored.

I'm sure Joel will enter a bug to clarify the paragraph in the handbook.

Nigel Houghton
Head Mentalist
SF VRT Department of Intelligence Excellence
http://vrt-blog.snort.org/ && http://labs.snort.org/

More information about the Snort-users mailing list