[Snort-users] Re: [Snort-devel] Order of preprocessing...

Chris Green cmg at ...402...
Tue Jun 4 06:01:08 EDT 2002

"Ashley Thomas" <athomas at ...1383...> writes:

> - Is'nt stream4 'always necessary' before http_decode / telnet_decode ?

Nope.  Some people run snort without stream4 and in that case, they
have to provide a best effort packet based inspection.

It is always recommened however.

> - Does a packet go through all the preprocessors or does it have the
> intelligence to check if it is tcp packet before sending it to
> stream4 ?

Each preprocessor has that functionality to filter out the packets
that it doesn't wish to see.  Read through spp_* and check out all the
routines that only accept a (Packet *p)

> and udp/icmp etc need not go thru any preprocessors
> except frag2. am i right ?

> in rules.c
> i see..
>     idx = PreprocessList;
>     while(idx != NULL)
>     {
>         assert(idx->func != NULL);
>         idx->func(p);
>         idx = idx->next;
>     }
> Looks like it calls all the preprocessors...

    if(p->tcph == NULL)
	DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "p->tcph is null, returning\n"););

    if(p->packet_flags & PKT_REBUILT_STREAM)
	DEBUG_WRAP(DebugMessage(DEBUG_STREAM, "REBUILT_STREAM returning\n"););

EAch of them is called but then they all choose to take each type of packet.
Chris Green <cmg at ...402...>
To err is human, to moo bovine.

More information about the Snort-devel mailing list