Snort mailing list archives
Re: preprocessor's rules???
From: "Justin Heath" <justin.heath () gmail com>
Date: Tue, 15 Apr 2008 08:35:40 -0400
They are stub rules that control the alerting functionality of preprocessor alerts. So, for example ... alert ( msg: "STREAM5_DATA_WITHOUT_FLAGS"; sid: 11; gid: 129; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) Would enable the alerting of the stream5 without flags alert. Each alerting preproc should have a readme which describes the alerts associated with it. In addition the gen-msg.map should give you a list if preprocessor gids along with their associated sids. Cheers, Justin On Tue, Apr 15, 2008 at 1:36 AM, Rachmat Hidayat Al-Anshar <rachmat_hidayat_02 () yahoo com> wrote:
Hi all.... :)
I just want to know more about this following line on
snort configurations file..
var PREPROC_RULE_PATH ../preproc_rules
what is preprocessor rules are??
and then, since I know that Snort's preprocessor only
use plug-ins for its
process, is it something that I missed about this
"rules" for preprocessor...
Any response supporting this question will greatly
appreciated
Thanks in advance
Rachmat Hidayat Al Anshar
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- preprocessor's rules??? Rachmat Hidayat Al-Anshar (Apr 14)
- Re: preprocessor's rules? Nigel Houghton (Apr 15)
- Re: preprocessor's rules? Justin Heath (Apr 15)
- Re: preprocessor's rules??? Justin Heath (Apr 15)
- Re: preprocessor's rules? Nigel Houghton (Apr 15)