Preprocessor Plugins

What is a preprocessor and what can it do?

A preprocessor is a plugin that fits into the detection scheme before the detection engine does it work. It has the ability to examine every packet that is sniffed off the wire. In addition to just examining the packet, a preprocessor may modify the contents of the packet (to normalize the data for instance) and it can tag the packet to not be run through the detection engine. It also has the abilities to generate alarms and log packets. In order to use a preprocessor, you will need to activate it with a preprocessor directive in the rules file. Each preprocessor has its own unique keyword and argument list used to activate it.

What preprocessors are currently available

Snort currently comes with three preprocessors. They are http_decode, minfrag, and portscan. The http_decode preprocessor normalizes the contents of HTTP requests. The minfrag preprocessor generates alerts for all fragmented packets under a specified size. The portscan preprocessor is used to detect portscans being run against the network.

http_decode

The http_decode preprocessor is used to normalize the contents of HTTP requests into plain ASCII text. HTTP requests can contain escaped characters in the form of %XX. This can make it very difficult to use a network based IDS to detect hostile requests made against a web server. By normalizing this data, the request is no longer obsfucated and the content matching rules for hostile HTTP request can be used.
The arguments for the http_decode preprocessor are the ports for which traffic will be pased through the normalization function. For example to decode all traffic sent to ports 80 an 8080, you would insert the following line into your rule file: 
 preprocessor http_decode: 80 8080
The normalized packet (with corrected payload length) is then passed on to the detection engine. This preprocessor neither logs packets nor generates alerts.

minfrag

The minfrag preprocessor checks for fragmented packets. If the packet is a fragment and its size is less than or equal to the threshold value then it generates the alert: 
 Tiny Fragments - Possible Hostile Activity
and also logs the packet. It also toggles the detection bit for this packet so that it is not passed to the detection engine. This preprocessor operates under the philosophy that beyond a certain size (probably around 512), there is no need for modern networking hardware to have to fragment a packet. Frequently, attackers will utilize fragmented packets to sneak past firewalls and crawl under intrustion detection systems.
The minfrag preprocessor takes up to two arguments. The order of these arguments is irrelevant. One of the arguments is the fragment threshold value. The other argument determins whether we want to only check packets that are destined for the home network (as defined by the -h commandline option). This argument can be set to either any or home. If you set the home flag, then only packets destined to your home network will be checked. This will exclude any packets leaving your network. If the any flag is set, then all packets will be examined. So, for an example, if I wanted to generate an alert on all fragments of 128 bytes or less both coming to and leaving my network, I would add the following line to my rules file: 
 preprocessor: minfrag 128 any
There are some issues that need to be addressed in the minfrag preprocessor. First, there is no default defined for the home or any flags. Second, the argument parser only checks that there is at least one argument and not whether it is the required threshold value or not. Therefore it is possible to activate the preprocessor with an undefined threshold value and cause unknown results. Both of these issues will be resolved in a future release of snort (even if I have to write the code myself).

portscan

Sorry Patrick, I will write this section later. You do have to admit that it IS the most complicated of the preprocessors.
Copyright 2000 Andrew R. Baker