Snort mailing list archives

Previous By Date Next
Previous By Thread Next

InspectorType

From: Sancho Panza <sancho () posteo de>
Date: Mon, 02 Feb 2015 17:39:42 +0100
Hello!

Could someone please shed some light on my question:

In Snort 3.0 preprocessors (now called "inspectors") are registered via 
the InspectApi, which has a field "InspectorType type;". The possible 
values are:

     IT_BINDER,
     IT_WIZARD,
     IT_PACKET,
     IT_NETWORK,
     IT_STREAM,
     IT_SERVICE,
     IT_PROBE

What are the implications of choosing any of these?

I am writing a preprocessor supposed to kick in as early as possible. 
What it does is simply look at each packet and establish the following 
information:

-protocol (IPv4/IPv6, TCP, UDP, ICMP)
-source/destination ports
-packet size

This data is then forwarded elsewhere.

Would that be inspector type network or packet?

Many thanks

Sancho



------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: