pfoh at ...14725...
Wed Dec 16 07:56:06 EST 2009
I have a two questions to using preprocessors.
1. Do I understand correctly that preprocessors such as frag3 do some
preprocessing (in the case of frag3, assemble packets), then send them
along to the detection engine to be analyzed? Clearly it makes sense
that they do as they are called "preprocessors", but it brings me to my
2. Preprocessors like sfPortscan, seem to do less preprocessing and more
alerting...shouldn't this be the job of the detection engine? Is it
done in a preprocessor, because state is needed? When an alert is
triggered by the preprocessor, is/are the packet(s) still sent to the
Thanks for you help.
More information about the Snort-users