Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: InspectorType

From: "Russ Combs (rucombs)" <rucombs () cisco com>
Date: Mon, 2 Feb 2015 19:05:01 +0000
Comments inline ...
________________________________________
From: Sancho Panza [sancho () posteo de]
Sent: Monday, February 02, 2015 11:39 AM
To: snort-devel () lists sourceforge net
Subject: [Snort-devel] InspectorType

Hello!

Could someone please shed some light on my question:

In Snort 3.0 preprocessors (now called "inspectors") are registered via
the InspectApi, which has a field "InspectorType type;". The possible
values are:

     IT_BINDER,
-- determines which inspectors apply to given flows

     IT_WIZARD,
-- determines which service inspector to use if none explicitly bound

     IT_PACKET,
-- used to process all packets before session and service processing (e.g. normalize)

     IT_NETWORK,
-- processes packets w/o service (e.g. arp_spoof, back_orifice)

     IT_STREAM,
-- for flow tracking, ip defrag, and tcp reassembly

     IT_SERVICE,
-- for http, ftp, telnet, etc.

     IT_PROBE
-- process all packets after all the above (e.g. perf_monitor, port_scan)

What are the implications of choosing any of these?

-- they determine which inspectors are executed when

I am writing a preprocessor supposed to kick in as early as possible.
What it does is simply look at each packet and establish the following
information:

-protocol (IPv4/IPv6, TCP, UDP, ICMP)
-source/destination ports
-packet size

This data is then forwarded elsewhere.

Would that be inspector type network or packet?

-- sounds like you want packet.  If you want to leverage prior inspection, a probe would be appropriate.

Many thanks

Sancho



------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: