[Snort-users] http_inspects post_depth

Joel Esler jesler at ...1935...
Fri Jun 3 14:21:20 EDT 2011


Will do. Thanks.  

--
Sent from my iPhone
Forgive my misspellings and briefness

On Jun 3, 2011, at 2:10 PM, Nigel Houghton <nhoughton at ...1935...> wrote:

> On Fri, 03 Jun 2011 17:43:29 +0000, Eoin Miller wrote:
>> Kind of wondering about this from the 2.9.0.5 manual:
>> 
>> ---SNIP---
>> 11. post_depth <integer>
>> This specifies the amount of data to inspect in a client post message. 
>> The value can be set from -1 to 65495. The default value is -1. A value 
>> of -1 causes Snort to ignore all the data in the post message. 
>> Inversely, a value of 0 causes Snort to inspect all the client post 
>> message. This increases the performance by inspecting only specified 
>> bytes in the post message.
>> ---SNIP---
>> 
>> I'm trying to wrap my head around the wording of this. Does this 
>> effectively mean 0 = 65495? Or does setting the value to 0 cause 
>> inspection of all of it beyond the 65495 buffer range?
> 
> Yes, that's certainly a little unclear.
> 
> The last sentence should probably read something like this: "Setting a 
> non-zero value for this option increases performance by inspecting only 
> that number of bytes in the post data."
> 
> Of course, setting it to -1 would also increase performance since the 
> post data would be ignored.
> 
> I'm sure Joel will enter a bug to clarify the paragraph in the handbook.
> 
> --
> Nigel Houghton
> Head Mentalist
> SF VRT Department of Intelligence Excellence
> http://vrt-blog.snort.org/ && http://labs.snort.org/
> 
> ------------------------------------------------------------------------------
> Simplify data backup and recovery for your virtual environment with vRanger.
> Installation's a snap, and flexible recovery options mean your data is safe,
> secure and there when you need it. Discover what all the cheering's about.
> Get your free trial download today. 
> http://p.sf.net/sfu/quest-dev2dev2 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list