[Snort-users] preprocessor's rules?
nigel at ...1935...
Tue Apr 15 07:53:33 EDT 2008
(I removed the useless extra "?"s from the subject, if this breaks your
threading try using a real MUA)
On 4/15/08 1:36 AM, "Rachmat Hidayat Al-Anshar"
<rachmat_hidayat_02 at ...131...> wrote:
> Hi all.... :)
> I just want to know more about this following line on
> snort configurations file..
> var PREPROC_RULE_PATH ../preproc_rules
> what is preprocessor rules are??
> and then, since I know that Snort's preprocessor only
> use plug-ins for its
> process, is it something that I missed about this
> "rules" for preprocessor...
> Any response supporting this question will greatly
> Thanks in advance
> Rachmat Hidayat Al Anshar
>From the ChangeLog:
2007-08-30 Steven Sturges <ssturges at ...1935...>
Added support to provide action control (alert, drop, pass, etc)
over preprocessor and decoder generated events, as well as references
and classifications via a rule. These rules do not include IP
addresses as the individual preprocessor/decoder configuration
dictates the traffic to which an event applies. In conjunction
with this, certain post-processing rule options (tag, logto, etc)
may be added to those rules, while other options that relate to data
inspection (content, byte_test, etc) may not. Enable via
--enable-decoder-preprocessor-rules option to configure.
Been there for a while.
More information about the Snort-users