Snort mailing list archives
detection and preprocessor plugins
From: Steve Halligan <agent33 () geeksquad com>
Date: Mon, 28 Jan 2002 14:24:36 -0600
I wan't to write a plugin to detect the presence of something in the data portian of a packet. This "something" is too complex and random for a signature, so it needs to be done via a plugin. However, my detection could be completely thwarted be simply fragging the packet. My questions are: 1) Should this be a detection plugin or a preprocessor? 2) Is there anyplace that I would have access to the packet that has been reassembled by the defrag prprocessor? 3) If one have multiple preprocessors, what determines the order they run in? Can the defrag run first, then others, allowing them to see the packet in its defragged form? 4) spp_bo (the back orifice preprocessor) is a preprocessor. If #3 above is not possible, can it be thwarted by running the packets through a fragrouter? -steve _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- detection and preprocessor plugins Steve Halligan (Jan 28)
- Re: detection and preprocessor plugins Martin Roesch (Jan 28)
- <Possible follow-ups>
- RE: detection and preprocessor plugins Steve Halligan (Jan 29)
- RE: detection and preprocessor plugins Steve Halligan (Jan 29)
- Re: detection and preprocessor plugins Martin Roesch (Jan 29)