Re: preprocessors rules

["Al Lewis (allewi)" <allewi () cisco com>]

You can read on the preprocessors here: http://manual.snort.org/node17.html

The packet is decoded then the preprocessor is run before detection.


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: Dan Roberts [mailto:danroberts2604 () gmail com]
Sent: Monday, February 23, 2015 10:58 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] preprocessors rules

Hi all,

One of my Snort sensor (eth1) is listening to the network traffic of many VLANs, sharing the same trunk.
And although I've defined only one VLAN (IP subnet) as my HOME_NET in snort.conf,
I receive many preprocessor alarms related to other vlans(IP subnets) without any relation to my HOME_NET.

My question: do the preprocessor rules apply to all the network traffic the sensor sees, regardess the HOME_NET setting 
in snort.conf ? Or is there something I missed ?

Thanks in advance for your help !

Dan





------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!