Re: order of processing of incoming packets in preprocessors of snort

[James Lay <jlay () slave-tothe-box net>]

On 2014-03-05 08:00, Hui Cao (huica) wrote:
> Hi Simegnew,
>
> The order of processing depends on priority that is set when
> preprocessor is registered. If two preprocessors have the same 
> priority,
> the one initialized first is processed first. PRIORITY_FIRST has the
> highest priority.  In snort, we have the following priorities:
>
> #define PRIORITY_FIRST
> #define PRIORITY_NORMALIZE
> #define PRIORITY_NETWORK
> #define PRIORITY_TRANSPORT
> #define PRIORITY_TUNNEL
> #define PRIORITY_SCANNER
> #define PRIORITY_SESSION
> #define PRIORITY_APPLICATION
> #define PRIORITY_LAST
>
> Currently, snort has the following processing order:
>
> reputation -> normalize -> frag | arpspoof ->stream ->ssl -> portscan 
> |
> permonitor ->ftp -> all others
>
> FYI: If you can submit this type of question to snortt-devel, you 
> might
> get answers from developers easily.
>
>
> Best,
> Hui.

This is good intel...thank you.

James

------------------------------------------------------------------------------
Subversion Kills Productivity. Get off Subversion & Make the Move to Perforce.
With Perforce, you get hassle-free workflows. Merge that actually works. 
Faster operations. Version large binaries.  Built-in WAN optimization and the
freedom to use Git, Perforce or both. Make the move to Perforce.
http://pubads.g.doubleclick.net/gampad/clk?id=122218951&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!