Re: [Snort-users] preprocessor's rules?

(I removed the useless extra "?"s from the subject, if this breaks your
threading try using a real MUA)

On 4/15/08 1:36 AM, "Rachmat Hidayat Al-Anshar"
<rachmat_hidayat_02@yahoo.com> wrote:

> Hi all.... :)
>
> I just want to know more about this following line on
> snort configurations file..
> var PREPROC_RULE_PATH ../preproc_rules
>
> what is preprocessor rules are??
> and then, since I know that Snort's preprocessor only
> use plug-ins for its
> process, is it something that I missed about this
> "rules" for preprocessor...
>
> Any response supporting this question will greatly
> appreciated
> Thanks in advance
> Rachmat Hidayat Al Anshar

>From the ChangeLog:

2007-08-30 Steven Sturges <ssturges@sourcefire.com>

<snip>

Added support to provide action control (alert, drop, pass, etc)
over preprocessor and decoder generated events, as well as references
and classifications via a rule. These rules do not include IP
addresses as the individual preprocessor/decoder configuration
dictates the traffic to which an event applies. In conjunction
with this, certain post-processing rule options (tag, logto, etc)
may be added to those rules, while other options that relate to data
inspection (content, byte_test, etc) may not. Enable via
--enable-decoder-preprocessor-rules option to configure.

Been there for a while.

--
Nigel Houghton
Resident Hooligan
SF VRT


-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757...un.com/javaone
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users