[Snort-users] preprocessor definition in snort manual!?!?!?

Matt Kettler mkettler at ...4108...
Mon Apr 21 14:35:03 EDT 2003

Really it should say programmers and users that are comfortable doing 

Essentially snort has a standard C code interface that allows for add-on 
modules that are written in C to be compiled into snort. These consist of 
preprocessors and plugins, both of which can examine packets, but only 
preprocessors actually data before the rules are applied.

A prime example of a snort preprocessor is stream4, which re-assembles the 
data out of multiple packets in a TCP stream. Another example is the code 
that normalizes out HTTP requests (I forget the name of this module), so 
that unicode and escape sequences in HTTP requests are decoded prior to 
being searched by rules (this prevents evasion of rules looking for things 
like "cmd.exe". Otherwise an attacker could just use escape codes to avoid 

If you're comfortable with C code, you can look in the src/preprocessors 
subdirectory for some examples of how a preprocessor is written.

At 11:23 PM 4/21/2003 +0300, Derya Sezen wrote:
>What does this sentence in snort manual mean!?
>"Preprocessors allow the functionality of Snort to be extended by
>allowing users and programmers to drop modular "plugins" into Snort
>fairly easily."
>What kind of "plugins" that it mean? How can we use this function to
>make a plugind? Can you give an example to that?!
>Derya Sezen <funky at ...8796...>

More information about the Snort-users mailing list