in http_decode ,The original packet is not altered by this process. then why do this stage(preprocessor) when no changed ?
what use it?
tnx
Printable View
in http_decode ,The original packet is not altered by this process. then why do this stage(preprocessor) when no changed ?
what use it?
tnx
Snort's HTTP decode preprocessor doesn't change the original packet but it does reduce the request to the proper format so that it can pass it through the detection engine. It merely does it to simplify the detection of malicious attempts.
A good book for all this is Snort 2.1 Intrusion Detection by Brian Caswell et al, (ISBN 1-931836-74-4). Try it, you'll love it.