[Snort-users] Re: [Snort-devel] Order of preprocessing...

Ashley Thomas athomas at ...1383...
Mon Jun 3 21:56:01 EDT 2002

- Is'nt stream4 'always necessary' before http_decode / telnet_decode ?

- Does a packet go through all the preprocessors or does it have the
intelligence to
  check if it is tcp packet before sending it to stream4 ?
  and udp/icmp etc need not go thru any preprocessors except frag2. am i
right ?

in rules.c
i see..

    idx = PreprocessList;

    while(idx != NULL)
        assert(idx->func != NULL);
        idx = idx->next;

Looks like it calls all the preprocessors...

thanks a lot

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Chris Green
Sent: Monday, June 03, 2002 9:42 PM
To: Ashley Thomas
Cc: snort-users at lists.sourceforge.net; snort-devel at lists.sourceforge.net
Subject: [Snort-users] Re: [Snort-devel] Order of preprocessing...

"Ashley Thomas" <athomas at ...1383...> writes:

> Hi,
> If we have all the following preprocessors turned on, the order in which
> packet will pass through them would be

>From top to bottom in the config file.

> --->frag2--->stream4+--->http decode--->
>       |             |
>       |             +--->telnet decode-->
>       |             |
>       |             +--->rpc decode--->
>       |
>       +-------------------------------> icmp / udp packets
> This order is important. right ? correct me if i am wrong..

Yes.  There are actually a few streams

[ decodes ] -> detection egine

frag2 -> [ decodes ] -> detection egine

frag2 -> stream4 -> detection engine
Chris Green <cmg at ...402...>
Laugh and the world laughs with you, snore and you sleep alone.


Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-devel mailing list