[Snort-users] preprocessor definition in snort manual!?!?!?
mkettler at ...4108...
Mon Apr 21 14:35:03 EDT 2003
Really it should say programmers and users that are comfortable doing
Essentially snort has a standard C code interface that allows for add-on
modules that are written in C to be compiled into snort. These consist of
preprocessors and plugins, both of which can examine packets, but only
preprocessors actually data before the rules are applied.
A prime example of a snort preprocessor is stream4, which re-assembles the
data out of multiple packets in a TCP stream. Another example is the code
that normalizes out HTTP requests (I forget the name of this module), so
that unicode and escape sequences in HTTP requests are decoded prior to
being searched by rules (this prevents evasion of rules looking for things
like "cmd.exe". Otherwise an attacker could just use escape codes to avoid
If you're comfortable with C code, you can look in the src/preprocessors
subdirectory for some examples of how a preprocessor is written.
At 11:23 PM 4/21/2003 +0300, Derya Sezen wrote:
>What does this sentence in snort manual mean!?
>"Preprocessors allow the functionality of Snort to be extended by
>allowing users and programmers to drop modular "plugins" into Snort
>What kind of "plugins" that it mean? How can we use this function to
>make a plugind? Can you give an example to that?!
>Derya Sezen <funky at ...8796...>
More information about the Snort-users