[Snort-users] detection and preprocessor plugins
roesch at ...1935...
Mon Jan 28 19:02:03 EST 2002
On 1/28/02 3:24 PM, "Steve Halligan" <agent33 at ...187...> wrote:
> I wan't to write a plugin to detect the presence of something in the data
> portian of a packet.
> This "something" is too complex and random for a signature, so it needs to
> be done via a plugin.
> However, my detection could be completely thwarted be simply fragging the
> packet. My questions are:
> 1) Should this be a detection plugin or a preprocessor?
It should be a detection plugin, the frag2 preprocessor will take care of
the heavy lifting of defragging packets and presenting them to you in their
> 2) Is there anyplace that I would have access to the packet that has been
> reassembled by the defrag prprocessor?
Yes, the frag2 preprocessor hands the defragmented packet to the detection
engine in real-time once all the pieces have arrived.
> 3) If one have multiple preprocessors, what determines the order they run
> in? Can the defrag run first, then others, allowing them to see the packet
> in its defragged form?
The order is determined by the way that they're loaded in the snort.conf
file. The default order has spp_frag2 loaded first.
> 4) spp_bo (the back orifice preprocessor) is a preprocessor. If #3 above
> is not possible, can it be thwarted by running the packets through a
Yes, but most people scanning for BO these days are yahoos... :)
Martin Roesch - Founder/CEO Sourcefire Inc. - (410) 552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-users