[Snort-users] preprocessor's rules?

Justin Heath justin.heath at ...11827...
Tue Apr 15 08:41:27 EDT 2008


This broke the threading on gmail. I guess it must be an imaginary MUA.


Cheers,
Justin

On Tue, Apr 15, 2008 at 7:53 AM, Nigel Houghton <nigel at ...1935...> wrote:
>
>  (I removed the useless extra "?"s from the subject, if this breaks your
>  threading try using a real MUA)
>
>  On 4/15/08 1:36 AM, "Rachmat Hidayat Al-Anshar"
>  <rachmat_hidayat_02 at ...131...> wrote:
>
>  > Hi all.... :)
>  >
>  > I just want to know more about this following line on
>  > snort configurations file..
>  > var PREPROC_RULE_PATH ../preproc_rules
>  >
>  > what is preprocessor rules are??
>  > and then, since I know that Snort's preprocessor only
>  > use plug-ins for its
>  > process, is it something that I missed about this
>  > "rules" for preprocessor...
>  >
>  > Any response supporting this question will greatly
>  > appreciated
>  > Thanks in advance
>  > Rachmat Hidayat Al Anshar
>
>  >From the ChangeLog:
>
>   2007-08-30 Steven Sturges <ssturges at ...1935...>
>
>  <snip>
>
>        Added support to provide action control (alert, drop, pass, etc)
>        over preprocessor and decoder generated events, as well as references
>        and classifications via a rule.  These rules do not include IP
>        addresses as the individual preprocessor/decoder configuration
>        dictates the traffic to which an event applies.  In conjunction
>        with this, certain post-processing rule options (tag, logto, etc)
>        may be added to those rules, while other options that relate to data
>        inspection (content, byte_test, etc) may not.  Enable via
>        --enable-decoder-preprocessor-rules option to configure.
>
>  Been there for a while.
>
>  --
>  Nigel Houghton
>  Resident Hooligan
>  SF VRT
>
>
>  -------------------------------------------------------------------------
>  This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
>  Don't miss this year's exciting event. There's still time to save $100.
>  Use priority code J8TL2D2.
>  http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
>  _______________________________________________
>  Snort-users mailing list
>  Snort-users at lists.sourceforge.net
>  Go to this URL to change user options or unsubscribe:
>  https://lists.sourceforge.net/lists/listinfo/snort-users
>  Snort-users list archive:
>  http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list