Preprocessors


133


anomalies and obvious errors in data packets. A detailed description of available pre 


processors will show how they work.


During the installation process, you can compile support of different preproces 


sors into Snort. Configuration parameters for different preprocessors (also called input


plug ins and input modules) are present in the snort.conf file. Using the file, you


can enable or disable different preprocessors.


All enabled preprocessors operate on each packet. There is no way to bypass some


of the preprocessors based upon some criteria. If you have enabled a large number of


preprocessors, you may slow down Snort detection process. Therefore you should be


careful when enabling preprocessors.


All preprocessors are enabled in the Snort configuration file using the preproces 


sor keyword. The general format of enabling a preprocessor is as follows:


preprocessor [: parameters]


The name of the preprocessor follows the preprocessor keyword. For example, the


following line in snort.conf file enables frag2 preprocessor:


preprocessor frag2


Usually preprocessors also accept parameters to configure different options for the


preprocessors. These parameters are usually optional. Mandatory parameters will be


specified explicitly in this text. Widely used preprocessors are discussed next.


You can write your own preprocessors. The information is available in


README.PLUGINS in the doc directory of Snort source code. You can also find sam 


ple code in the templates directory of the source code tree.


4.1.1


HTTP Decode


The Hyper Text Transfer Protocol (HTTP) allows intrusion detection systems to


use hexadecimal characters in URI to defeat  known attacks. For example, this can be


done by inserting something like %3A%2F%2F in the URI to replace :// characters. The


HTTP decode preprocessor normalizes the HTTP requests so that they can be processed


properly by the detection engine. You can use a list of ports used by HTTP servers or


proxy servers as an argument to the preprocessor. The following line in the configura 


tion file will apply HTTP decode for packets coming to ports 80, 8080, 443.


preprocessor http_decode: 80 8080 443


A large number of attacks on web servers are carried by obfuscating URI charac 


ters using hexadecimal numbers in the URI. The HTTP decode blocks any such


attempts by converting them to the actual URI. For example, if you have written a Snort








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      toronto web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Java Hosting
Cheapest Hosting



Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved