Snort configuration -- Core preprocessors

This portion of Snort configuration deals with core preprocessors.

Preprocessors are functions called after a packet has been decoded, but before the detection engine is invoked. I call the following "core" preprocessors because they support functionality common to many protocols. Flow provides a single mechanism for Snort to track conversations, and certain preprocessors (like sfPortscan) rely on Flow.

preprocessor flow: stats_interval 0 hash 2

The defaults tell Flow to never dump statistics to standard out and to use the "hash by integer" method to track flows. Both values are acceptable.

The Frag3 preprocessor provides target-based IP defragmentation. In other words, operators can tell Snort how it should treat fragmented IP traffic directed to various hosts on the monitored network. The default values are:

preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies

With these options, Frag3 will monitor a maximum of 65536 simultaneous fragmented packets. The policy statement tells Frag3 to treat target systems as Windows TCP/IP stacks would and to generate alerts when odd fragmented traffic is detected.

The Stream4 preprocessor reassembles fragmented TCP traffic. It provides a means for Snort to keep track of connections without relying on simply checking for the presence of an ACK flag in a TCP segment. The default values are:

preprocessor stream4: disable_evasion_alerts
preprocessor stream4_reassemble

These values activate Stream4 and tell it to not report when it detects potentially odd activity, like overlapping TCP segments.

Snort: Understanding the configuration file

  Introduction: Upgrade to Snort
  The snort.conf file
  Defining IP ranges of interest
  Defining ports of interest
 Core preprocessors
  Non-dynamic preprocessors

About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog.

Dig Deeper on Managed network services technology

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.