[Oisf-devel] Diff Preprocessor / Detection Plugins
Song liu
van20052005 at hotmail.com
Tue Apr 2 23:56:58 UTC 2013
In Snort, preprocessors happen after decoding and before detection for two purposes:
1. defrag/tcp-tracking/tcp-assembly etc.
2. detect non-rule-based threats.
For Suricata, AFAIK, it will handle some non-rule-based threats when decoding and tcp-streaming and store to p->events and p->action.
After tcp-reassembly, Suricata has some preprocessors to automatically identify the protocol (in app-layer-*.c source files).
> Date: Fri, 29 Mar 2013 10:55:06 +0100
> From: Prabhakaran Kasinathan <prabhakaran1989 at gmail.com>
> To: suricata Mail List <oisf-devel at openinfosecfoundation.org>
> Subject: [Oisf-devel] Diff Preprocessor / Detection Plugins
> Message-ID:
> <CAFH0ppbmdMWB1nxBz6LbsGHnfdJXVqFQmtxKR7+j6s0i4e7vAA at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi everyone,
>
> I would like to know the difference between a pre-processor and the
> detection plugins.
>
> Correct me if I am wrong:
> -- Pre-processsor: Preprocessor code is run before the detection engine
> is called, but after the packet has been decoded. The packet can be modi?ed
> or analyzed in an out-of-band manner using this mechanism [Snort]
>
> __ Does Suricata have any pre processors out-of-the box? Fast-IP
> matching is mentioned as one: In which module it is implemented ? any
> examples ?
>
> -- Detection plugins: These plugins add the additional functionality to
> detection. But is this called after the detection engine ?
>
>
> I am confused a bit about the efficiency / extra features which the
> pre-processor have.
>
> ------------
> I think the webpage<https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Developers_Guide>needs
> more clear documentation for the beginners.
>
> --
> Best Regards,
> Prabhakaran Kasinathan
> +39 3279720502
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20130402/8b471b56/attachment.html>
More information about the Oisf-devel
mailing list