116

Chapter 3     Working with Snort Rules

3.7.3

Preprocessor Configuration

Preprocessors or input plug ins operate on received packets before Snort rules are

applied to them. The preprocessor configuration is the second major part of the configu 

ration file. This section provides basic information about adding or removing  Snort pre 

processors. Detailed information about each preprocessor is found in the next chapter.

The general format of configuring a preprocessor is as follows:

preprocessor [: ]

The first part of the line is the keyword preprocessor. The name of the preproces 

sor follows this keyword. If the preprocessor can accept some options or arguments,

you can list these options after a colon character at the end of the name of preprocessor,

which is optional.

The following is an example of a line in the configuration file for IP defragmenta 

tion preprocessor frag2.

preprocessor frag2

The following is an example of a stream4 preprocessor with an argument to detect

port scans. The stream4 preprocessor has many other arguments as well, as described in

Chapter 4.

preprocessor stream4: detect_scans

Both frag2 and stream4 are predefined preprocessors. You can also write your

own preprocessors if you are a programmer. Guidelines for writing preprocessors are

provided with the Snort source code.

3.7.4

Output Module Configuration

Output modules, also called output plug ins, manipulate output from Snort rules.

For example, if you want to log information to a database or send SNMP traps, you

need output modules. The following is the general format for specifying an output mod 

ule in the configuration file.

output [: ]

For example, if you want to store log messages to a MySQL database, you can

configure an output module that contains the database name, database server address,

user name and password.

output database: alert, mysql, user=rr password=boota \

   dbname=snort host=localhost