detection and preprocessor plugins

[Steve Halligan <agent33 () geeksquad com>]

I wan't to write a plugin to detect the presence of something in the data
portian of a packet.
This "something" is too complex and random for a signature, so it needs to
be done via a plugin.

However, my detection could be completely thwarted be simply fragging the
packet.  My questions are:

1)  Should this be a detection plugin or a preprocessor?
2)  Is there anyplace that I would have access to the packet that has been
reassembled by the defrag prprocessor?
3)  If one have multiple preprocessors, what determines the order they run
in?  Can the defrag run first, then others, allowing them to see the packet
in its defragged form?
4)  spp_bo (the back orifice preprocessor) is a preprocessor.  If #3 above
is not possible, can it be thwarted by running the packets through a
fragrouter?

-steve

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users