[Snort-users] detection and preprocessor plugins

Steve Halligan agent33 at ...187...
Tue Jan 29 07:35:06 EST 2002


Please allow me to answer my own question.  When frag2 is determines that it
has a complete packet rebuilt, it dumps the packet back into
ProcessPacket(), which will give all the preprocessors (even frag2 itself
actually) another shot at the new rebuilt packet.

-steve

 
> > > 3)  If one have multiple preprocessors, what determines the 
> > order they run
> > > in?  Can the defrag run first, then others, allowing them 
> > to see the packet
> > > in its defragged form?
> > 
> > The order is determined by the way that they're loaded in the 
> > snort.conf
> > file.  The default order has spp_frag2 loaded first.
> > 
> So if frag2 is loaded first, will other preprocessors see a 
> packet in its
> defragged state?
> Or is the defragged packet only available to detection plugins and the
> signature engine?
> 
> -steve




More information about the Snort-users mailing list