<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>In Snort, preprocessors happen after decoding and before detection for two purposes:<br>1. defrag/tcp-tracking/tcp-assembly etc.<br>2. detect non-rule-based threats.<br><br>For Suricata, AFAIK, it will handle some non-rule-based threats when decoding and tcp-streaming and store to p->events and p->action.<br>After tcp-reassembly, Suricata has some preprocessors to automatically identify the protocol (in app-layer-*.c source files). <br><br><div><div id="SkyDrivePlaceholder"></div>> Date: Fri, 29 Mar 2013 10:55:06 +0100<br>> From: Prabhakaran Kasinathan <prabhakaran1989@gmail.com><br>> To: suricata Mail List <oisf-devel@openinfosecfoundation.org><br>> Subject: [Oisf-devel] Diff Preprocessor / Detection Plugins<br>> Message-ID:<br>> <CAFH0ppbmdMWB1nxBz6LbsGHnfdJXVqFQmtxKR7+j6s0i4e7vAA@mail.gmail.com><br>> Content-Type: text/plain; charset="utf-8"<br>> <br>> Hi everyone,<br>> <br>> I would like to know the difference between a pre-processor and the<br>> detection plugins.<br>> <br>> Correct me if I am wrong:<br>> -- Pre-processsor: Preprocessor code is run before the detection engine<br>> is called, but after the packet has been decoded. The packet can be modi?ed<br>> or analyzed in an out-of-band manner using this mechanism [Snort]<br>> <br>> __ Does Suricata have any pre processors out-of-the box? Fast-IP<br>> matching is mentioned as one: In which module it is implemented ? any<br>> examples ?<br>> <br>> -- Detection plugins: These plugins add the additional functionality to<br>> detection. But is this called after the detection engine ?<br>> <br>> <br>> I am confused a bit about the efficiency / extra features which the<br>> pre-processor have.<br>> <br>> ------------<br>> I think the webpage<https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Developers_Guide>needs<br>> more clear documentation for the beginners.<br>> <br>> --<br>> Best Regards,<br>> Prabhakaran Kasinathan<br>> +39 3279720502<br><br></div> </div></body>
</html>