Preprocessors are functions called after a packet has been decoded, but before the detection engine is invoked. I call the following "core" preprocessors because they support functionality common to many protocols. Flow provides a single mechanism for Snort to track conversations, and certain preprocessors (like sfPortscan) rely on Flow.
preprocessor flow: stats_interval 0 hash 2
The defaults tell Flow to never dump statistics to standard out and to use the "hash by integer" method to track flows. Both values are acceptable.
The Frag3 preprocessor provides target-based IP defragmentation. In other words, operators can tell Snort how it should treat fragmented IP traffic directed to various hosts on the monitored network. The default values are:
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
With these options, Frag3 will monitor a maximum of 65536 simultaneous fragmented packets. The policy statement tells Frag3 to treat target systems as Windows TCP/IP stacks would and to generate alerts when odd fragmented traffic is detected.
The Stream4 preprocessor reassembles fragmented TCP traffic. It provides a means for Snort to keep track of connections without relying on simply checking for the presence of an ACK flag in a TCP segment. The default values are:
preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble
These values activate Stream4 and tell it to not report when it detects potentially odd activity, like overlapping TCP segments.
Snort: Understanding the configuration file
Introduction: Upgrade to Snort 2.6.1.2
The snort.conf file
Defining IP ranges of interest
Defining ports of interest
Core preprocessors
Non-dynamic preprocessors
Conclusion
About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog.
