[Snort-users] preprocessors rules

Al Lewis (allewi) allewi at ...589...
Mon Feb 23 12:16:29 EST 2015

You can read on the preprocessors here: http://manual.snort.org/node17.html

The packet is decoded then the preprocessor is run before detection.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...

From: Dan Roberts [mailto:danroberts2604 at ...11827...]
Sent: Monday, February 23, 2015 10:58 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] preprocessors rules

Hi all,

One of my Snort sensor (eth1) is listening to the network traffic of many VLANs, sharing the same trunk.
And although I've defined only one VLAN (IP subnet) as my HOME_NET in snort.conf,
I receive many preprocessor alarms related to other vlans(IP subnets) without any relation to my HOME_NET.

My question: do the preprocessor rules apply to all the network traffic the sensor sees, regardess the HOME_NET setting in snort.conf ? Or is there something I missed ?

Thanks in advance for your help !


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150223/a2cd6c30/attachment.html>

More information about the Snort-users mailing list