[Snort-users] preproccesor stream

Lance Spitzner lance at ...185...
Thu Jan 18 21:55:52 EST 2001

apologies if this has already been discussed.

What does 'preprocessor stream' give me?  If I
add the following to snort.conf

preprocessor stream: timeout 5, ports 21 23 80 8080, maxbytes 16384

What value have I just gained?  Does this mean it will reassemble
the TCP connection first, then apply the signature rulebase against
the assembled stream? As opposed to normal snort activity, which is
to compare individual packets against signature database?

What kind of attacks will this detect that are not normally


Lance Spitzner

More information about the Snort-users mailing list