Re: detection and preprocessor plugins

[Martin Roesch <roesch () sourcefire com>]

On 1/28/02 3:24 PM, "Steve Halligan" <agent33 () geeksquad com> wrote:

> I wan't to write a plugin to detect the presence of something in the data
> portian of a packet.
> This "something" is too complex and random for a signature, so it needs to
> be done via a plugin.
>
> However, my detection could be completely thwarted be simply fragging the
> packet.  My questions are:
>
> 1)  Should this be a detection plugin or a preprocessor?

It should be a detection plugin, the frag2 preprocessor will take care of
the heavy lifting of defragging packets and presenting them to you in their
"correct" format.

> 2)  Is there anyplace that I would have access to the packet that has been
> reassembled by the defrag prprocessor?

Yes, the frag2 preprocessor hands the defragmented packet to the detection
engine in real-time once all the pieces have arrived.

> 3)  If one have multiple preprocessors, what determines the order they run
> in?  Can the defrag run first, then others, allowing them to see the packet
> in its defragged form?

The order is determined by the way that they're loaded in the snort.conf
file.  The default order has spp_frag2 loaded first.

> 4)  spp_bo (the back orifice preprocessor) is a preprocessor.  If #3 above
> is not possible, can it be thwarted by running the packets through a
> fragrouter?

Yes, but most people scanning for BO these days are yahoos... :)

     -Marty

-- 
Martin Roesch - Founder/CEO Sourcefire Inc. - (410) 552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users