[Snort-devel] Snort Packet Decoder

skaf skaf at ...2563...
Thu Jun 10 00:56:03 EDT 2004


How snort decide the application protocol, is it only by the port
number?  Or Snort relies on an analysis of the application layer?

If Snort analyse the application layer to decide the application
protocol then: 

-Is it the job of the decoder or the preprocessors to decode this layer?

-If it is in the preprocessors, then how the packet is passed after the

 first preprocessor deocdes this layer? 
""""	For example"""" if we receive a telnet packet, lets assume that
first it passes through HTTP preprocessor that decides to pass it
without modification when it sees that it is telnet, then if the next is
RPC preprocessor, will it decode the application layer to know that it
is a telnet or the information is passed from the HTTP Preprocessor? 

>Every packet is passed through every preprocessor.  The preprocessors
>decide if they want to muck with the packet or not.

The packet passes the preprocessors in the order that they are
initialised in the snort.conf file or in the plugbase.c's
Initpreprocessors()  function, or ...  where the order of the
preprocessor is taken from (http then rpc then stream4 ...) ?



-----Message d'origine-----
De : Brian [mailto:bmc at ...835...] 
Envoyé : mercredi 9 juin 2004 16:35
À : skaf
Cc : focus-ids at ...417...; snort-devel at lists.sourceforge.net
Objet : Re: [Snort-devel] Snort Packet Decoder

On Wed, Jun 09, 2004 at 11:33:34AM +0200, skaf wrote:
> Or every packet that comes out from the decoder is passed through
> all the preprocessor and a check is made inside the preprocessors to
> know if the packet belongs to the protocol that it treats (if it is
> telnet then it is treated by telnet preprocessor and is dropped by
> the RPC preprocessor for example) ? 

Every packet is passed through every preprocessor.  The preprocessors
decide if they want to muck with the packet or not.


More information about the Snort-devel mailing list