[Snort-users] detection and preprocessor plugins

Martin Roesch roesch at ...1935...
Tue Jan 29 19:16:06 EST 2002


Right, but the packet is marked as a rebuilt frag so frag2 knows to ignore
it.

     -Marty


On 1/29/02 10:34 AM, "Steve Halligan" <agent33 at ...187...> wrote:

> Please allow me to answer my own question.  When frag2 is determines that it
> has a complete packet rebuilt, it dumps the packet back into
> ProcessPacket(), which will give all the preprocessors (even frag2 itself
> actually) another shot at the new rebuilt packet.
> 
> -steve
> 
> 
>>>> 3)  If one have multiple preprocessors, what determines the
>>> order they run
>>>> in?  Can the defrag run first, then others, allowing them
>>> to see the packet
>>>> in its defragged form?
>>> 
>>> The order is determined by the way that they're loaded in the
>>> snort.conf
>>> file.  The default order has spp_frag2 loaded first.
>>> 
>> So if frag2 is loaded first, will other preprocessors see a
>> packet in its
>> defragged state?
>> Or is the defragged packet only available to detection plugins and the
>> signature engine?
>> 
>> -steve
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 

-- 
Martin Roesch - Founder/CEO Sourcefire Inc. - (410) 552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-users mailing list