Snort mailing list archives
Re: detection and preprocessor plugins
From: Martin Roesch <roesch () sourcefire com>
Date: Tue, 29 Jan 2002 22:15:49 -0500
Right, but the packet is marked as a rebuilt frag so frag2 knows to ignore it. -Marty On 1/29/02 10:34 AM, "Steve Halligan" <agent33 () geeksquad com> wrote:
Please allow me to answer my own question. When frag2 is determines that it has a complete packet rebuilt, it dumps the packet back into ProcessPacket(), which will give all the preprocessors (even frag2 itself actually) another shot at the new rebuilt packet. -steve3) If one have multiple preprocessors, what determines theorder they runin? Can the defrag run first, then others, allowing themto see the packetin its defragged form?The order is determined by the way that they're loaded in the snort.conf file. The default order has spp_frag2 loaded first.So if frag2 is loaded first, will other preprocessors see a packet in its defragged state? Or is the defragged packet only available to detection plugins and the signature engine? -steve_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CEO Sourcefire Inc. - (410) 552-6999 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- detection and preprocessor plugins Steve Halligan (Jan 28)
- Re: detection and preprocessor plugins Martin Roesch (Jan 28)
- <Possible follow-ups>
- RE: detection and preprocessor plugins Steve Halligan (Jan 29)
- RE: detection and preprocessor plugins Steve Halligan (Jan 29)
- Re: detection and preprocessor plugins Martin Roesch (Jan 29)