[Snort-users] detection and preprocessor plugins

Steve Halligan agent33 at ...187...
Tue Jan 29 06:38:09 EST 2002


> > 3)  If one have multiple preprocessors, what determines the 
> order they run
> > in?  Can the defrag run first, then others, allowing them 
> to see the packet
> > in its defragged form?
> 
> The order is determined by the way that they're loaded in the 
> snort.conf
> file.  The default order has spp_frag2 loaded first.
> 
So if frag2 is loaded first, will other preprocessors see a packet in its
defragged state?
Or is the defragged packet only available to detection plugins and the
signature engine?

-steve




More information about the Snort-users mailing list