[Snort-users] http_inspects post_depth
nhoughton at ...1935...
Fri Jun 3 14:10:56 EDT 2011
On Fri, 03 Jun 2011 17:43:29 +0000, Eoin Miller wrote:
> Kind of wondering about this from the 126.96.36.199 manual:
> 11. post_depth <integer>
> This specifies the amount of data to inspect in a client post message.
> The value can be set from -1 to 65495. The default value is -1. A value
> of -1 causes Snort to ignore all the data in the post message.
> Inversely, a value of 0 causes Snort to inspect all the client post
> message. This increases the performance by inspecting only specified
> bytes in the post message.
> I'm trying to wrap my head around the wording of this. Does this
> effectively mean 0 = 65495? Or does setting the value to 0 cause
> inspection of all of it beyond the 65495 buffer range?
Yes, that's certainly a little unclear.
The last sentence should probably read something like this: "Setting a
non-zero value for this option increases performance by inspecting only
that number of bytes in the post data."
Of course, setting it to -1 would also increase performance since the
post data would be ignored.
I'm sure Joel will enter a bug to clarify the paragraph in the handbook.
SF VRT Department of Intelligence Excellence
http://vrt-blog.snort.org/ && http://labs.snort.org/
More information about the Snort-users