[Snort-users] preprocessors

Todd Wease twease at ...1935...
Thu Dec 17 08:58:53 EST 2009


> 1)  The preprocessors work in the order you have them in the config
> file.  So first the frag3 engine cleans up layer 2 fragmentation.  Then
> the stream engine handles the reassembly of IP segmentation.  Then (for
> example) the http_inspect engine applies some intelligence to the data
> and sorts it into buffers that we can specifically look at in the
> detection engine.  This way we can write rules that are faster and more
> accurate.

Preprocessors have a priority associated with them and will be run in 
order of their priority.  If the priority is the same, then the ordering 
in which they are in snort.conf matters.  The priorities are labelled as 
such from highest priority to lowest:

#define PRIORITY_FIRST           0x0
#define PRIORITY_NETWORK        0x10
#define PRIORITY_TRANSPORT     0x100
#define PRIORITY_TUNNEL        0x105
#define PRIORITY_SCANNER       0x110
#define PRIORITY_APPLICATION   0x200
#define PRIORITY_LAST         0xffff


Also note that dynamic preprocessors are configured after non-dynamic
preprocessors, so for the same priority group, they will always be 
evaluated after non-dynamic preprocessors.


The current priorities for the preprocessors are:

PRIORITY_NETWORK
----------------
frag3
arpspoof


PRIORITY_TRANSPORT
------------------
stream5


PRIORITY_TUNNEL
---------------
ssl


PRIORITY_SCANNER
----------------
sfportscan
perfmonitor


PRIORITY_APPLICATION
--------------------
httpinspect
rpc_decode

(dynamic preprocessors)
ssh
ftptelnet
dns
smtp
dcerpc2


PRIORITY_LAST
-------------
bo


Also, don't let the configuration output confuse you as to when the 
preprocessor is actually run.  They are configured, then inserted into a 
list based on priority.  The only time the configuration order matters 
is if they are the same priority.





More information about the Snort-users mailing list