[Snort-users] preprocessors

Matt Olney molney at ...1935...
Thu Dec 17 09:27:33 EST 2009


The Todd speaks!

Thanks, I learned something (and need to update some slides).  Folks, in
case you are wondering Todd is where the VRT goes when it has
deep-in-the-guts issues with preprocessors.  He is also our external check
when we develop SO rules (and, I'll be honest, he finds some stuff we missed
:)).

He is also roughly 6.7-7.2 flavors of awesome.

Thanks Todd

Matt

On Thu, Dec 17, 2009 at 8:58 AM, Todd Wease <twease at ...1935...> wrote:

> 1)  The preprocessors work in the order you have them in the config
>> file.  So first the frag3 engine cleans up layer 2 fragmentation.  Then
>> the stream engine handles the reassembly of IP segmentation.  Then (for
>> example) the http_inspect engine applies some intelligence to the data
>> and sorts it into buffers that we can specifically look at in the
>> detection engine.  This way we can write rules that are faster and more
>> accurate.
>>
>
> Preprocessors have a priority associated with them and will be run in order
> of their priority.  If the priority is the same, then the ordering in which
> they are in snort.conf matters.  The priorities are labelled as such from
> highest priority to lowest:
>
> #define PRIORITY_FIRST           0x0
> #define PRIORITY_NETWORK        0x10
> #define PRIORITY_TRANSPORT     0x100
> #define PRIORITY_TUNNEL        0x105
> #define PRIORITY_SCANNER       0x110
> #define PRIORITY_APPLICATION   0x200
> #define PRIORITY_LAST         0xffff
>
>
> Also note that dynamic preprocessors are configured after non-dynamic
> preprocessors, so for the same priority group, they will always be
> evaluated after non-dynamic preprocessors.
>
>
> The current priorities for the preprocessors are:
>
> PRIORITY_NETWORK
> ----------------
> frag3
> arpspoof
>
>
> PRIORITY_TRANSPORT
> ------------------
> stream5
>
>
> PRIORITY_TUNNEL
> ---------------
> ssl
>
>
> PRIORITY_SCANNER
> ----------------
> sfportscan
> perfmonitor
>
>
> PRIORITY_APPLICATION
> --------------------
> httpinspect
> rpc_decode
>
> (dynamic preprocessors)
> ssh
> ftptelnet
> dns
> smtp
> dcerpc2
>
>
> PRIORITY_LAST
> -------------
> bo
>
>
> Also, don't let the configuration output confuse you as to when the
> preprocessor is actually run.  They are configured, then inserted into a
> list based on priority.  The only time the configuration order matters is if
> they are the same priority.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20091217/6720ec3f/attachment.html>


More information about the Snort-users mailing list