[Oisf-devel] Diff Preprocessor / Detection Plugins

[Victor Julien]

On 03/29/2013 10:55 AM, Prabhakaran Kasinathan wrote:
>  Hi everyone,
> 
> I would like to know the difference between a pre-processor and the
> detection plugins.

In Suricata we're not using the term "preprocessor".

> Correct me if I am wrong: 
>   -- Pre-processsor: Preprocessor code is run before the detection
> engine is called, but after the packet has been decoded. The packet can
> be modified or analyzed in an out-of-band manner using this mechanism
> [Snort] 
> 
>       __ Does Suricata have any pre processors out-of-the box? Fast-IP
> matching is mentioned as one: In which module it is implemented ? any
> examples ?

In Suricata some of the task the Snort preprocessors do are part of the
decoding stage: defrag, flow tracking, tunnel decoding.

After this runs the TCP stream engine, with on top of that the app layer
decoding, which is our name for the modules that parse high level
protocols like http and smtp.

After this the detection engine is invoked. "Fast IP" matching is an
integral part of the detection engine.

>   -- Detection plugins: These plugins add the additional functionality
> to detection. But is this called after the detection engine ? 

These are called from the detection engine and are thus considered a
part of the detection engine.

> 
> I am confused a bit about the efficiency / extra features which the
> pre-processor have.   
> 
> ------------
> I think the webpage
> <https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Developers_Guide>
> needs more clear documentation for the beginners.

It definitely work in progress, so suggestions are welcome.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------