Snort mailing list archives

Re: preprocessor's rules?

From: "Justin Heath" <justin.heath () gmail com>
Date: Tue, 15 Apr 2008 08:41:27 -0400

This broke the threading on gmail. I guess it must be an imaginary MUA.


Cheers,
Justin

On Tue, Apr 15, 2008 at 7:53 AM, Nigel Houghton <nigel () sourcefire com> wrote:


 (I removed the useless extra "?"s from the subject, if this breaks your
 threading try using a real MUA)

 On 4/15/08 1:36 AM, "Rachmat Hidayat Al-Anshar"
 <rachmat_hidayat_02 () yahoo com> wrote:

 > Hi all.... :)
 >
 > I just want to know more about this following line on
 > snort configurations file..
 > var PREPROC_RULE_PATH ../preproc_rules
 >
 > what is preprocessor rules are??
 > and then, since I know that Snort's preprocessor only
 > use plug-ins for its
 > process, is it something that I missed about this
 > "rules" for preprocessor...
 >
 > Any response supporting this question will greatly
 > appreciated
 > Thanks in advance
 > Rachmat Hidayat Al Anshar

 >From the ChangeLog:

  2007-08-30 Steven Sturges <ssturges () sourcefire com>

 <snip>

       Added support to provide action control (alert, drop, pass, etc)
       over preprocessor and decoder generated events, as well as references
       and classifications via a rule.  These rules do not include IP
       addresses as the individual preprocessor/decoder configuration
       dictates the traffic to which an event applies.  In conjunction
       with this, certain post-processing rule options (tag, logto, etc)
       may be added to those rules, while other options that relate to data
       inspection (content, byte_test, etc) may not.  Enable via
       --enable-decoder-preprocessor-rules option to configure.

 Been there for a while.

 --
 Nigel Houghton
 Resident Hooligan
 SF VRT


 -------------------------------------------------------------------------
 This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
 Don't miss this year's exciting event. There's still time to save $100.
 Use priority code J8TL2D2.
 http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
 _______________________________________________
 Snort-users mailing list
 Snort-users () lists sourceforge net
 Go to this URL to change user options or unsubscribe:
 https://lists.sourceforge.net/lists/listinfo/snort-users
 Snort-users list archive:
 http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

preprocessor's rules??? Rachmat Hidayat Al-Anshar (Apr 14)
- Re: preprocessor's rules? Nigel Houghton (Apr 15)
  - Re: preprocessor's rules? Justin Heath (Apr 15)
- Re: preprocessor's rules??? Justin Heath (Apr 15)