[Snort-users] detection and preprocessor plugins
roesch at ...1935...
Tue Jan 29 19:16:06 EST 2002
Right, but the packet is marked as a rebuilt frag so frag2 knows to ignore
On 1/29/02 10:34 AM, "Steve Halligan" <agent33 at ...187...> wrote:
> Please allow me to answer my own question. When frag2 is determines that it
> has a complete packet rebuilt, it dumps the packet back into
> ProcessPacket(), which will give all the preprocessors (even frag2 itself
> actually) another shot at the new rebuilt packet.
>>>> 3) If one have multiple preprocessors, what determines the
>>> order they run
>>>> in? Can the defrag run first, then others, allowing them
>>> to see the packet
>>>> in its defragged form?
>>> The order is determined by the way that they're loaded in the
>>> file. The default order has spp_frag2 loaded first.
>> So if frag2 is loaded first, will other preprocessors see a
>> packet in its
>> defragged state?
>> Or is the defragged packet only available to detection plugins and the
>> signature engine?
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Martin Roesch - Founder/CEO Sourcefire Inc. - (410) 552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-users