Re: detection and preprocessor plugins

[Martin Roesch <roesch () sourcefire com>]

Right, but the packet is marked as a rebuilt frag so frag2 knows to ignore
it.

     -Marty


On 1/29/02 10:34 AM, "Steve Halligan" <agent33 () geeksquad com> wrote:

> Please allow me to answer my own question.  When frag2 is determines that it
> has a complete packet rebuilt, it dumps the packet back into
> ProcessPacket(), which will give all the preprocessors (even frag2 itself
> actually) another shot at the new rebuilt packet.
>
> -steve
>
>
> > > > 3)  If one have multiple preprocessors, what determines the
> > > order they run
> > > > in?  Can the defrag run first, then others, allowing them
> > > to see the packet
> > > > in its defragged form?
> > >
> > > The order is determined by the way that they're loaded in the
> > > snort.conf
> > > file.  The default order has spp_frag2 loaded first.
> > So if frag2 is loaded first, will other preprocessors see a
> > packet in its
> > defragged state?
> > Or is the defragged packet only available to detection plugins and the
> > signature engine?
> >
> > -steve
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Martin Roesch - Founder/CEO Sourcefire Inc. - (410) 552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users