Snort mailing list archives

Previous By Date Next
Previous By Thread Next

preprocessors

From: Jonas Pfoh <pfoh () sec in tum de>
Date: Wed, 16 Dec 2009 13:56:06 +0100
Hi,

I have a two questions to using preprocessors.

1. Do I understand correctly that preprocessors such as frag3 do some 
preprocessing (in the case of frag3, assemble packets), then send them 
along to the detection engine to be analyzed?  Clearly it makes sense 
that they do as they are called "preprocessors", but it brings me to my 
next question...

2. Preprocessors like sfPortscan, seem to do less preprocessing and more 
  alerting...shouldn't this be the job of the detection engine?  Is it 
done in a preprocessor, because state is needed?  When an alert is 
triggered by the preprocessor, is/are the packet(s) still sent to the 
detection engine?

Thanks for you help.

-Jonas

------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: