Re: Loosing alerts with 1.8.1-beta5 (was: Linux and packet loss)

[Martin Roesch <roesch () sourcefire com>]

Jason Haar wrote:
> > Oh, and put frag2 before everything else, you're preprocessors are going
> > to be run "out of order" otherwise (IOW, you probably want to do IP
> > defragmentation before the others...)
>
> Whoa! That's news to me. I sort  of expected the conf to be read from start
> to finish and then acted on. Is that documented anywhere? I understand the
> rules are order dependant - but never thought things like preprocessors
> would be.
>
> Now I know, I'll pay more attention to where I write things :-)
>
> Thanks for the heads-up.

Preprocessors are run in the order that they're added to the internal
list, so you want to run them in the order that they appear in the stack
for best effect.  For example, frag2 operates at the network layer
(layer 3), so it should go first.  The stream4 code operates at the
transport layer, so it comes next, then you get to the application layer
normalizers and detectors.  The portscan detector runs as an "event
aggregator", so it should probably come last (after all reassembly and
normalization have been done).  The arpspoof plugin operates at the
network layer again, but since it's a non-ip protocol it's order really
doesn't matter.

Someday I very well may document all this stuff... ;)

    -Marty


--
Martin Roesch
roesch () sourcefire com
http://www.sourcefire.com - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users