Preprocessors
133
anomalies and obvious errors in data packets. A detailed description of available pre 
processors will show how they work.
During the installation process, you can compile support of different preproces 
sors into Snort. Configuration parameters for different preprocessors (also called input
plug ins and input modules) are present in the snort.conf file. Using the file, you
can enable or disable different preprocessors.
All enabled preprocessors operate on each packet. There is no way to bypass some
of the preprocessors based upon some criteria. If you have enabled a large number of
preprocessors, you may slow down Snort detection process. Therefore you should be
careful when enabling preprocessors.
All preprocessors are enabled in the Snort configuration file using the preproces 
sor keyword. The general format of enabling a preprocessor is as follows:
preprocessor [: parameters]
The name of the preprocessor follows the preprocessor keyword. For example, the
following line in snort.conf file enables frag2 preprocessor:
preprocessor frag2
Usually preprocessors also accept parameters to configure different options for the
preprocessors. These parameters are usually optional. Mandatory parameters will be
specified explicitly in this text. Widely used preprocessors are discussed next.
You can write your own preprocessors. The information is available in
README.PLUGINS in the doc directory of Snort source code. You can also find sam 
ple code in the templates directory of the source code tree.
4.1.1
HTTP Decode
The Hyper Text Transfer Protocol (HTTP) allows intrusion detection systems to
use hexadecimal characters in URI to defeat  known attacks. For example, this can be
done by inserting something like %3A%2F%2F in the URI to replace :// characters. The
HTTP decode preprocessor normalizes the HTTP requests so that they can be processed
properly by the detection engine. You can use a list of ports used by HTTP servers or
proxy servers as an argument to the preprocessor. The following line in the configura 
tion file will apply HTTP decode for packets coming to ports 80, 8080, 443.
preprocessor http_decode: 80 8080 443
A large number of attacks on web servers are carried by obfuscating URI charac 
ters using hexadecimal numbers in the URI. The HTTP decode blocks any such
attempts by converting them to the actual URI. For example, if you have written a Snort






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

toronto web hosting

 

Our partners: PHP: Hypertext Preprocessor Cheap Web Hosting JSP Web Hosting Ontario Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Java Hosting Cheapest Hosting

Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved