[Snort-users] Re: [Snort-devel] Order of preprocessing...
cmg at ...402...
Tue Jun 4 06:01:08 EDT 2002
"Ashley Thomas" <athomas at ...1383...> writes:
> - Is'nt stream4 'always necessary' before http_decode / telnet_decode ?
Nope. Some people run snort without stream4 and in that case, they
have to provide a best effort packet based inspection.
It is always recommened however.
> - Does a packet go through all the preprocessors or does it have the
> intelligence to check if it is tcp packet before sending it to
> stream4 ?
Each preprocessor has that functionality to filter out the packets
that it doesn't wish to see. Read through spp_* and check out all the
routines that only accept a (Packet *p)
> and udp/icmp etc need not go thru any preprocessors
> except frag2. am i right ?
> in rules.c
> i see..
> idx = PreprocessList;
> while(idx != NULL)
> assert(idx->func != NULL);
> idx = idx->next;
> Looks like it calls all the preprocessors...
if(p->tcph == NULL)
DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "p->tcph is null, returning\n"););
if(p->packet_flags & PKT_REBUILT_STREAM)
DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "REBUILT_STREAM returning\n"););
EAch of them is called but then they all choose to take each type of packet.
Chris Green <cmg at ...402...>
To err is human, to moo bovine.
More information about the Snort-devel