[Snort-devel] ds_list-like processing for packets

Todd Lewis tlewis at ...255...
Mon Apr 2 02:00:10 EDT 2001


On Tue, 27 Mar 2001, Fyodor wrote:

> < Chris Green wrote: >
> > To handle the decoder engine, there could be an spp_ignore that would
> > set do_detect to 0 if the packet hasn't been processed enough to pass
> > to the decoding engine.
> 
> Well, that's actually why I think in snort 2.x we will need to sort out
> preprocessors to different layers (or make an ability for preprocessor to be
> able to to identify itself 'belonging' to certain level, so snort would know
> when to execute it), i.g. there's no reason to run ftp preprocessor
> on a packet if it hasn't passed through tcp stream reassembly yet.

I think that you guys are really going to like the model I'm drafting
up right now.  It is very much like what Fyodor suggests.  (This is
so exciting!)

--
Todd Lewis
tlewis at ...255...





More information about the Snort-devel mailing list