Snort mailing list archives
preprocessors
From: Jonas Pfoh <pfoh () sec in tum de>
Date: Wed, 16 Dec 2009 13:56:06 +0100
Hi, I have a two questions to using preprocessors. 1. Do I understand correctly that preprocessors such as frag3 do some preprocessing (in the case of frag3, assemble packets), then send them along to the detection engine to be analyzed? Clearly it makes sense that they do as they are called "preprocessors", but it brings me to my next question... 2. Preprocessors like sfPortscan, seem to do less preprocessing and more alerting...shouldn't this be the job of the detection engine? Is it done in a preprocessor, because state is needed? When an alert is triggered by the preprocessor, is/are the packet(s) still sent to the detection engine? Thanks for you help. -Jonas ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- preprocessors Jonas Pfoh (Dec 16)
- Re: preprocessors Matt Olney (Dec 16)
- Re: preprocessors Matt Olney (Dec 16)
- Re: preprocessors Todd Wease (Dec 17)
- Re: preprocessors Matt Olney (Dec 17)
- Re: preprocessors Richard Bejtlich (Dec 17)
- Re: preprocessors Matt Olney (Dec 16)