0

So for example, why i need scan.rules when there is something like sfportscan preprocessor ? Is it because preprocessor can not detect all the activities and so there is detecting engine using rules with well known signatures of network attacks trying to find match ? But there are also preproc rules, so i am bit confused now. So preprocessor use their own rules and then there are normal rules in case none of this preproc rules found the match ?

Thank you for answer.

uppermost
  • 1
  • 5
  • Preproc just help activities of the rules through packet reassembly, decode, and sorting of src and dst ip structures, ETC. Refer to http://seclists.org/snort/2008/q2/26 – Mr.kang Apr 22 '17 at 05:24
  • But do preprocessor generate alert by itself or do they need rules and when are preprocessor.rule use ? – uppermost Apr 22 '17 at 08:33

1 Answers1

0

Preprocessor rules are used to enable or disable (or change) events triggered by preprocessors. See snort manual.

The file scan.rules has nothing to do with the sfportscan preprocessor. It is meant as a container file to hold rules that detect possible scanning events. This eases the exclusion/inclusion of rules for users that don't need the whole ruleset.

Felix
  • 301
  • 2
  • 5