[Snort-users] detection and preprocessor plugins
agent33 at ...187...
Tue Jan 29 07:35:06 EST 2002
Please allow me to answer my own question. When frag2 is determines that it
has a complete packet rebuilt, it dumps the packet back into
ProcessPacket(), which will give all the preprocessors (even frag2 itself
actually) another shot at the new rebuilt packet.
> > > 3) If one have multiple preprocessors, what determines the
> > order they run
> > > in? Can the defrag run first, then others, allowing them
> > to see the packet
> > > in its defragged form?
> > The order is determined by the way that they're loaded in the
> > snort.conf
> > file. The default order has spp_frag2 loaded first.
> So if frag2 is loaded first, will other preprocessors see a
> packet in its
> defragged state?
> Or is the defragged packet only available to detection plugins and the
> signature engine?
More information about the Snort-users