[Snort-devel] ds_list-like processing for packets

Todd Lewis tlewis at ...255...
Mon Apr 2 02:00:10 EDT 2001

On Tue, 27 Mar 2001, Fyodor wrote:

> < Chris Green wrote: >
> > To handle the decoder engine, there could be an spp_ignore that would
> > set do_detect to 0 if the packet hasn't been processed enough to pass
> > to the decoding engine.
> Well, that's actually why I think in snort 2.x we will need to sort out
> preprocessors to different layers (or make an ability for preprocessor to be
> able to to identify itself 'belonging' to certain level, so snort would know
> when to execute it), i.g. there's no reason to run ftp preprocessor
> on a packet if it hasn't passed through tcp stream reassembly yet.

I think that you guys are really going to like the model I'm drafting
up right now.  It is very much like what Fyodor suggests.  (This is
so exciting!)

Todd Lewis
tlewis at ...255...

More information about the Snort-devel mailing list