[Snort-users] Re: [Snort-devel] Order of preprocessing...

Ashley Thomas athomas at ...1383...
Mon Jun 3 21:56:01 EDT 2002


- Is'nt stream4 'always necessary' before http_decode / telnet_decode ?

- Does a packet go through all the preprocessors or does it have the
intelligence to
  check if it is tcp packet before sending it to stream4 ?
  and udp/icmp etc need not go thru any preprocessors except frag2. am i
right ?

in rules.c
i see..

    idx = PreprocessList;

    while(idx != NULL)
    {
        assert(idx->func != NULL);
        idx->func(p);
        idx = idx->next;
    }

Looks like it calls all the preprocessors...

thanks a lot
ashley


-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Chris Green
Sent: Monday, June 03, 2002 9:42 PM
To: Ashley Thomas
Cc: snort-users at lists.sourceforge.net; snort-devel at lists.sourceforge.net
Subject: [Snort-users] Re: [Snort-devel] Order of preprocessing...


"Ashley Thomas" <athomas at ...1383...> writes:

> Hi,
>
> If we have all the following preprocessors turned on, the order in which
> packet will pass through them would be

>From top to bottom in the config file.

>
> --->frag2--->stream4+--->http decode--->
>       |             |
>       |             +--->telnet decode-->
>       |             |
>       |             +--->rpc decode--->
>       |
>       +-------------------------------> icmp / udp packets
>
>
> This order is important. right ? correct me if i am wrong..

Yes.  There are actually a few streams


[ decodes ] -> detection egine

frag2 -> [ decodes ] -> detection egine

frag2 -> stream4 -> detection engine
--
Chris Green <cmg at ...402...>
Laugh and the world laughs with you, snore and you sleep alone.

_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-devel mailing list