[Snort-users] preprocessor's rules?

Nigel Houghton nigel at ...1935...
Tue Apr 15 07:53:33 EDT 2008

(I removed the useless extra "?"s from the subject, if this breaks your
threading try using a real MUA)

On 4/15/08 1:36 AM, "Rachmat Hidayat Al-Anshar"
<rachmat_hidayat_02 at ...131...> wrote:

> Hi all.... :)
> I just want to know more about this following line on
> snort configurations file..
> var PREPROC_RULE_PATH ../preproc_rules
> what is preprocessor rules are??
> and then, since I know that Snort's preprocessor only
> use plug-ins for its
> process, is it something that I missed about this
> "rules" for preprocessor...
> Any response supporting this question will greatly
> appreciated
> Thanks in advance
> Rachmat Hidayat Al Anshar

>From the ChangeLog:

  2007-08-30 Steven Sturges <ssturges at ...1935...>


       Added support to provide action control (alert, drop, pass, etc)
       over preprocessor and decoder generated events, as well as references
       and classifications via a rule.  These rules do not include IP
       addresses as the individual preprocessor/decoder configuration
       dictates the traffic to which an event applies.  In conjunction
       with this, certain post-processing rule options (tag, logto, etc)
       may be added to those rules, while other options that relate to data
       inspection (content, byte_test, etc) may not.  Enable via
       --enable-decoder-preprocessor-rules option to configure.

Been there for a while.

Nigel Houghton
Resident Hooligan

More information about the Snort-users mailing list