molney at ...1935...
Thu Dec 17 09:27:33 EST 2009
The Todd speaks!
Thanks, I learned something (and need to update some slides). Folks, in
case you are wondering Todd is where the VRT goes when it has
deep-in-the-guts issues with preprocessors. He is also our external check
when we develop SO rules (and, I'll be honest, he finds some stuff we missed
He is also roughly 6.7-7.2 flavors of awesome.
On Thu, Dec 17, 2009 at 8:58 AM, Todd Wease <twease at ...1935...> wrote:
> 1) The preprocessors work in the order you have them in the config
>> file. So first the frag3 engine cleans up layer 2 fragmentation. Then
>> the stream engine handles the reassembly of IP segmentation. Then (for
>> example) the http_inspect engine applies some intelligence to the data
>> and sorts it into buffers that we can specifically look at in the
>> detection engine. This way we can write rules that are faster and more
> Preprocessors have a priority associated with them and will be run in order
> of their priority. If the priority is the same, then the ordering in which
> they are in snort.conf matters. The priorities are labelled as such from
> highest priority to lowest:
> #define PRIORITY_FIRST 0x0
> #define PRIORITY_NETWORK 0x10
> #define PRIORITY_TRANSPORT 0x100
> #define PRIORITY_TUNNEL 0x105
> #define PRIORITY_SCANNER 0x110
> #define PRIORITY_APPLICATION 0x200
> #define PRIORITY_LAST 0xffff
> Also note that dynamic preprocessors are configured after non-dynamic
> preprocessors, so for the same priority group, they will always be
> evaluated after non-dynamic preprocessors.
> The current priorities for the preprocessors are:
> (dynamic preprocessors)
> Also, don't let the configuration output confuse you as to when the
> preprocessor is actually run. They are configured, then inserted into a
> list based on priority. The only time the configuration order matters is if
> they are the same priority.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users