Re: Order of Preprocessors

[Y M <snort () outlook com>]

Hi Tony,
 
This thread may provide insight:
 
http://seclists.org/snort/2014/q1/586
 
YM
 
> Date: Fri, 21 Mar 2014 22:34:10 -0400
> From: deusexmachina667 () gmail com
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] Order of Preprocessors
>
> Hello All,
>
> I'm in the midst of writing up huge chunks of documentation on how
> snort processes traffic from being taken in off the wire all the way
> up to the rule trees. I plan on making this information free and
> available for everyone, everywhere.
>
> Last time I took the snort and SFCP exams, was around 2.8.6 and 3D
> system 4.9... ish. Anyhoo, my point is that I do not want to presume
> that my knowledge of snort or its preprocessors is or was ever
> perfect, so I'm asking for help from fellow professionals to ensure I
> get this right the first time.
>
> Now, if I recall correctly, the GENERAL order in which snort processes
> traffic is something like:
>
> 1. Traffic comes inbound. If interface is not busy (e.g. Dropping
> Packets at the interface/kernel level), proceed
> 2. BPF applied. If traffic meets criteria, proceed
> 3. Packet Decoder decodes traffic.
> 4. Network-Layer preprocessors (ip rep => arp spoof => frag 3 =>
> stream 5 => normalize?)
> 5. Application-Level preprocessors (http, ftp/telnet, modbus/DNP3,
> DCE/RPC, SunRPC, SSL, SSH, etc.)
> 6. Specific Threats (BO, sfportscan, others?)
> 7. Rule Chains
>
> Am I correct in my assertions? If not, can anyone correct me?
>
> Next: The IP Reputation Preprocessor. According to the official
> snort.org documentation, it's stated that this preprocessor "runs
> before other preprocessors". Is IP Reputation ran before packet
> decoding, or is packet decoding still the absolute first step?
>
> Next: Network-Layer preprocessors. I'm a little foggy in this area as
> well. In general terms, I know that frag3 comes before stream 5, but
> where does arpspoof fit in? If the sensor is inline and normalize is
> enabled, Where does normalization take place?
>
> If I get answers to these questions, I will make sure to attribute
> them to the snort-users mailing list.
>
> Thanks,
>
> Tony
> -- 
> when does reality end? when does fantasy begin?
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/13534_NeoTech
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!