[Snort-users] detection and preprocessor plugins

Steve Halligan agent33 at ...187...
Mon Jan 28 12:25:08 EST 2002


I wan't to write a plugin to detect the presence of something in the data
portian of a packet.
This "something" is too complex and random for a signature, so it needs to
be done via a plugin.

However, my detection could be completely thwarted be simply fragging the
packet.  My questions are:

1)  Should this be a detection plugin or a preprocessor?
2)  Is there anyplace that I would have access to the packet that has been
reassembled by the defrag prprocessor?
3)  If one have multiple preprocessors, what determines the order they run
in?  Can the defrag run first, then others, allowing them to see the packet
in its defragged form?
4)  spp_bo (the back orifice preprocessor) is a preprocessor.  If #3 above
is not possible, can it be thwarted by running the packets through a
fragrouter?

-steve




More information about the Snort-users mailing list