Re: Question about http_inspect

[Asim Jamshed <asim.jamshed () gmail com>]

Thanks. That makes sense. I will take a look at the code.
I just wanted to make sure whether HttpInspect module
takes care of those scenarios when the HTTP header is
split across multiple segments (maybe due to a very long
cookie value). I know this condition is very rare but just
wanted to verify what HttpInspect would do in this case.

--Asim

On Mon, Sep 21, 2015 at 6:58 PM, Rahul Burman (rahburma) <rahburma () cisco com
> wrote:

> It is not really required as the response codes and headers are available
> in the first response packet itself.
>
> You can actually go through the code under HttpInspect module. I believe
> it is well explained there.
>
>
>
> [image: http://www.cisco.com/web/europe/images/email/signature/logo05.jpg]
>
> *Rahul Burman*
> ENGINEER.SOFTWARE ENGINEERING
> rahburma () cisco com
> Phone: *+91 80 4365 7902 <%2B91%2080%204365%207902>*
>
> *Cisco Systems Limited*
> SEZ, Embassy Tech Village,Panathur Varthur Hobli, Bangalore East Taluk
> BANGALORE
> KARNATAKA
> 560 037
> IN
> Cisco.com <http://www.cisco.com>
>
>
>
> [image: Think before you print.]Think before you print.
>
> This email may contain confidential and privileged material for the sole
> use of the intended recipient. Any review, use, distribution or disclosure
> by others is strictly prohibited. If you are not the intended recipient (or
> authorized to receive for the recipient), please contact the sender by
> reply email and delete all copies of this message.
>
> For corporate legal information go to:
> http://www.cisco.com/web/about/doing_business/legal/cri/index.html
>
>
>
>
>
> *From:* Asim Jamshed [mailto:asim.jamshed () gmail com]
> *Sent:* Monday, September 21, 2015 3:14 PM
> *To:* Rahul Burman (rahburma)
> *Cc:* snort-devel () lists sourceforge net
> *Subject:* Re: Question about http_inspect
>
>
>
> Thanks. Can you please elaborate on why it cannot do stateful inspection
> on server response?
>
>
>
> --Asim
>
> On Monday, September 21, 2015, Rahul Burman (rahburma) <rahburma () cisco com>
> wrote:
>
> HttpInspect module is stateless while inspecting the server responses.
> There is a provision to do both stateless and stateful traffic inspection.
>
> Regards
> Rahul
>
> -----Original Message-----
> From: Asim Jamshed [mailto:asim.jamshed () gmail com]
> Sent: Sunday, September 20, 2015 4:55 PM
> To: snort-devel () lists sourceforge net
> Subject: [Snort-devel] Question about http_inspect
>
> Hi,
>
> I was going through the Snort manual and it says that the http inspect
> module is stateless (analyzes flows on a per-packet basis). Is that right?
> I was wondering why it can use stream5 module and perform stateful
> management like ftp, telnet and smtp protocols?
>
> Thanks,
> --Asim
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!