[Snort-users] Re: [Snort-devel] Order of preprocessing...
athomas at ...1383...
Mon Jun 3 21:56:01 EDT 2002
- Is'nt stream4 'always necessary' before http_decode / telnet_decode ?
- Does a packet go through all the preprocessors or does it have the
check if it is tcp packet before sending it to stream4 ?
and udp/icmp etc need not go thru any preprocessors except frag2. am i
idx = PreprocessList;
while(idx != NULL)
assert(idx->func != NULL);
idx = idx->next;
Looks like it calls all the preprocessors...
thanks a lot
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Chris Green
Sent: Monday, June 03, 2002 9:42 PM
To: Ashley Thomas
Cc: snort-users at lists.sourceforge.net; snort-devel at lists.sourceforge.net
Subject: [Snort-users] Re: [Snort-devel] Order of preprocessing...
"Ashley Thomas" <athomas at ...1383...> writes:
> If we have all the following preprocessors turned on, the order in which
> packet will pass through them would be
>From top to bottom in the config file.
> --->frag2--->stream4+--->http decode--->
> | |
> | +--->telnet decode-->
> | |
> | +--->rpc decode--->
> +-------------------------------> icmp / udp packets
> This order is important. right ? correct me if i am wrong..
Yes. There are actually a few streams
[ decodes ] -> detection egine
frag2 -> [ decodes ] -> detection egine
frag2 -> stream4 -> detection engine
Chris Green <cmg at ...402...>
Laugh and the world laughs with you, snore and you sleep alone.
Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-devel