Snort mailing list archives

RE: detection and preprocessor plugins

From: Steve Halligan <agent33 () geeksquad com>
Date: Tue, 29 Jan 2002 09:34:28 -0600

Please allow me to answer my own question.  When frag2 is determines that it
has a complete packet rebuilt, it dumps the packet back into
ProcessPacket(), which will give all the preprocessors (even frag2 itself
actually) another shot at the new rebuilt packet.

-steve

3)  If one have multiple preprocessors, what determines the

order they run

in?  Can the defrag run first, then others, allowing them

to see the packet

in its defragged form?


The order is determined by the way that they're loaded in the 
snort.conf
file.  The default order has spp_frag2 loaded first.

So if frag2 is loaded first, will other preprocessors see a 
packet in its
defragged state?
Or is the defragged packet only available to detection plugins and the
signature engine?

-steve


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

detection and preprocessor plugins Steve Halligan (Jan 28)
- Re: detection and preprocessor plugins Martin Roesch (Jan 28)
- <Possible follow-ups>
- RE: detection and preprocessor plugins Steve Halligan (Jan 29)
- RE: detection and preprocessor plugins Steve Halligan (Jan 29)
  - Re: detection and preprocessor plugins Martin Roesch (Jan 29)