Snort mailing list archives

Re: preprocessors

From: Todd Wease <twease () sourcefire com>
Date: Thu, 17 Dec 2009 08:58:53 -0500

1)  The preprocessors work in the order you have them in the config
file.  So first the frag3 engine cleans up layer 2 fragmentation.  Then
the stream engine handles the reassembly of IP segmentation.  Then (for
example) the http_inspect engine applies some intelligence to the data
and sorts it into buffers that we can specifically look at in the
detection engine.  This way we can write rules that are faster and more
accurate.


Preprocessors have a priority associated with them and will be run in 
order of their priority.  If the priority is the same, then the ordering 
in which they are in snort.conf matters.  The priorities are labelled as 
such from highest priority to lowest:

#define PRIORITY_FIRST           0x0
#define PRIORITY_NETWORK        0x10
#define PRIORITY_TRANSPORT     0x100
#define PRIORITY_TUNNEL        0x105
#define PRIORITY_SCANNER       0x110
#define PRIORITY_APPLICATION   0x200
#define PRIORITY_LAST         0xffff


Also note that dynamic preprocessors are configured after non-dynamic
preprocessors, so for the same priority group, they will always be 
evaluated after non-dynamic preprocessors.


The current priorities for the preprocessors are:

PRIORITY_NETWORK
----------------
frag3
arpspoof


PRIORITY_TRANSPORT
------------------
stream5


PRIORITY_TUNNEL
---------------
ssl


PRIORITY_SCANNER
----------------
sfportscan
perfmonitor


PRIORITY_APPLICATION
--------------------
httpinspect
rpc_decode

(dynamic preprocessors)
ssh
ftptelnet
dns
smtp
dcerpc2


PRIORITY_LAST
-------------
bo


Also, don't let the configuration output confuse you as to when the 
preprocessor is actually run.  They are configured, then inserted into a 
list based on priority.  The only time the configuration order matters 
is if they are the same priority.


------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

preprocessors Jonas Pfoh (Dec 16)
- Re: preprocessors Matt Olney (Dec 16)
  - Re: preprocessors Matt Olney (Dec 16)
  - Re: preprocessors Todd Wease (Dec 17)
    - Re: preprocessors Matt Olney (Dec 17)
    - Re: preprocessors Richard Bejtlich (Dec 17)