Snort mailing list archives
Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss)
From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 09 Aug 2001 23:01:57 -0400
Jason Haar wrote:
Oh, and put frag2 before everything else, you're preprocessors are going to be run "out of order" otherwise (IOW, you probably want to do IP defragmentation before the others...)Whoa! That's news to me. I sort of expected the conf to be read from start to finish and then acted on. Is that documented anywhere? I understand the rules are order dependant - but never thought things like preprocessors would be. Now I know, I'll pay more attention to where I write things :-) Thanks for the heads-up.
Preprocessors are run in the order that they're added to the internal list, so you want to run them in the order that they appear in the stack for best effect. For example, frag2 operates at the network layer (layer 3), so it should go first. The stream4 code operates at the transport layer, so it comes next, then you get to the application layer normalizers and detectors. The portscan detector runs as an "event aggregator", so it should probably come last (after all reassembly and normalization have been done). The arpspoof plugin operates at the network layer again, but since it's a non-ip protocol it's order really doesn't matter. Someday I very well may document all this stuff... ;) -Marty -- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Linux and packet loss, (continued)
- Re: Linux and packet loss Chris Green (Aug 01)
- Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Jason Haar (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Dragos Ruiu (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Jason Haar (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Steve Williams (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss Jason Haar (Aug 02)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss Andreas Östling (Aug 02)
- Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Jason Haar (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Daniel Harrison (Aug 02)
- Re: Linux and packet loss Chris Green (Aug 01)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Martin Roesch (Aug 09)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Jason Haar (Aug 09)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Martin Roesch (Aug 09)
- Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss) Martin Roesch (Aug 09)
- Re: Linux and packet loss Jason Haar (Aug 02)
- Re: Linux and packet loss Martin Roesch (Aug 02)
- Re: Linux and packet loss Jason Haar (Aug 02)
- Re: Linux and packet loss Phil Wood (Aug 02)
- ACID and MySQL questions Jason Lewis (Aug 02)
- Re: ACID and MySQL questions meling (Aug 03)