Snort mailing list archives
Re: preprocessors
From: Matt Olney <molney () sourcefire com>
Date: Thu, 17 Dec 2009 09:27:33 -0500
The Todd speaks! Thanks, I learned something (and need to update some slides). Folks, in case you are wondering Todd is where the VRT goes when it has deep-in-the-guts issues with preprocessors. He is also our external check when we develop SO rules (and, I'll be honest, he finds some stuff we missed :)). He is also roughly 6.7-7.2 flavors of awesome. Thanks Todd Matt On Thu, Dec 17, 2009 at 8:58 AM, Todd Wease <twease () sourcefire com> wrote:
1) The preprocessors work in the order you have them in the configfile. So first the frag3 engine cleans up layer 2 fragmentation. Then the stream engine handles the reassembly of IP segmentation. Then (for example) the http_inspect engine applies some intelligence to the data and sorts it into buffers that we can specifically look at in the detection engine. This way we can write rules that are faster and more accurate.Preprocessors have a priority associated with them and will be run in order of their priority. If the priority is the same, then the ordering in which they are in snort.conf matters. The priorities are labelled as such from highest priority to lowest: #define PRIORITY_FIRST 0x0 #define PRIORITY_NETWORK 0x10 #define PRIORITY_TRANSPORT 0x100 #define PRIORITY_TUNNEL 0x105 #define PRIORITY_SCANNER 0x110 #define PRIORITY_APPLICATION 0x200 #define PRIORITY_LAST 0xffff Also note that dynamic preprocessors are configured after non-dynamic preprocessors, so for the same priority group, they will always be evaluated after non-dynamic preprocessors. The current priorities for the preprocessors are: PRIORITY_NETWORK ---------------- frag3 arpspoof PRIORITY_TRANSPORT ------------------ stream5 PRIORITY_TUNNEL --------------- ssl PRIORITY_SCANNER ---------------- sfportscan perfmonitor PRIORITY_APPLICATION -------------------- httpinspect rpc_decode (dynamic preprocessors) ssh ftptelnet dns smtp dcerpc2 PRIORITY_LAST ------------- bo Also, don't let the configuration output confuse you as to when the preprocessor is actually run. They are configured, then inserted into a list based on priority. The only time the configuration order matters is if they are the same priority.
------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- preprocessors Jonas Pfoh (Dec 16)
- Re: preprocessors Matt Olney (Dec 16)
- Re: preprocessors Matt Olney (Dec 16)
- Re: preprocessors Todd Wease (Dec 17)
- Re: preprocessors Matt Olney (Dec 17)
- Re: preprocessors Richard Bejtlich (Dec 17)
- Re: preprocessors Matt Olney (Dec 16)