Snort mailing list archives
Re: order of processing of incoming packets in preprocessors of snort
From: "Hui Cao (huica)" <huica () cisco com>
Date: Wed, 5 Mar 2014 15:00:15 +0000
Hi Simegnew, The order of processing depends on priority that is set when preprocessor is registered. If two preprocessors have the same priority, the one initialized first is processed first. PRIORITY_FIRST has the highest priority. In snort, we have the following priorities: #define PRIORITY_FIRST #define PRIORITY_NORMALIZE #define PRIORITY_NETWORK #define PRIORITY_TRANSPORT #define PRIORITY_TUNNEL #define PRIORITY_SCANNER #define PRIORITY_SESSION #define PRIORITY_APPLICATION #define PRIORITY_LAST Currently, snort has the following processing order: reputation -> normalize -> frag | arpspoof ->stream ->ssl -> portscan | permonitor ->ftp -> all others FYI: If you can submit this type of question to snortt-devel, you might get answers from developers easily. Best, Hui. On 3/5/14, 7:53 AM, "simegnew yihunie" <syihunie () gmail com> wrote:
Hey Guys, I have got confused about the order of processing of incoming packets from packet decoder in preprocessors of snort. that means incoming packets from packet decoder to preprocessor but what is the order of presentation in preprocessor like frag->steream -> etc. Any one who knows this pls tell me. -------------------------------------------------------------------------- ---- Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clkt rk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce. With Perforce, you get hassle-free workflows. Merge that actually works. Faster operations. Version large binaries. Built-in WAN optimization and the freedom to use Git, Perforce or both. Make the move to Perforce. http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- order of processing of incoming packets in preprocessors of snort simegnew yihunie (Mar 05)
- Re: order of processing of incoming packets in preprocessors of snort Hui Cao (huica) (Mar 05)
- Re: order of processing of incoming packets in preprocessors of snort James Lay (Mar 05)
- Re: order of processing of incoming packets in preprocessors of snort Hui Cao (huica) (Mar 05)