[Snort-users] detection and preprocessor plugins

Martin Roesch roesch at ...1935...
Mon Jan 28 19:02:03 EST 2002

On 1/28/02 3:24 PM, "Steve Halligan" <agent33 at ...187...> wrote:

> I wan't to write a plugin to detect the presence of something in the data
> portian of a packet.
> This "something" is too complex and random for a signature, so it needs to
> be done via a plugin.
> However, my detection could be completely thwarted be simply fragging the
> packet.  My questions are:
> 1)  Should this be a detection plugin or a preprocessor?

It should be a detection plugin, the frag2 preprocessor will take care of
the heavy lifting of defragging packets and presenting them to you in their
"correct" format.

> 2)  Is there anyplace that I would have access to the packet that has been
> reassembled by the defrag prprocessor?

Yes, the frag2 preprocessor hands the defragmented packet to the detection
engine in real-time once all the pieces have arrived.

> 3)  If one have multiple preprocessors, what determines the order they run
> in?  Can the defrag run first, then others, allowing them to see the packet
> in its defragged form?

The order is determined by the way that they're loaded in the snort.conf
file.  The default order has spp_frag2 loaded first.

> 4)  spp_bo (the back orifice preprocessor) is a preprocessor.  If #3 above
> is not possible, can it be thwarted by running the packets through a
> fragrouter?

Yes, but most people scanning for BO these days are yahoos... :)


Martin Roesch - Founder/CEO Sourcefire Inc. - (410) 552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

More information about the Snort-users mailing list