132 Chapter 4 • Plugins, Preprocessors and Output Modules

4.1 Preprocessors

When a packet is received by Snort, it may not be ready for processing by the main Snort detection engine and application of Snort rules. For example, a packet may be fragmented. Before you can search a string within the packet or determine its exact size, you need to defragment it by assembling all fragments of the data packet. The job of a preprocessor is to make a packet suitable for the detection engine to apply different rules to it. In addition, some preprocessors are used for other tasks such as detection of Figure 4-1 Simplified block diagram for Snort. Preprocessors 133 anomalies and obvious errors in data packets. A detailed description of available pre- processors will show how they work. During the installation process, you can compile support of different preproces- sors into Snort. Configuration parameters for different preprocessors also called input plug-ins and input modules are present in the snort.conf file. Using the file, you can enable or disable different preprocessors. All enabled preprocessors operate on each packet. There is no way to bypass some of the preprocessors based upon some criteria. If you have enabled a large number of preprocessors, you may slow down Snort detection process. Therefore you should be careful when enabling preprocessors. All preprocessors are enabled in the Snort configuration file using the preproces- sor keyword. The general format of enabling a preprocessor is as follows: preprocessor name of preprocessor[: parameters] The name of the preprocessor follows the preprocessor keyword. For example, the following line in snort.conf file enables frag2 preprocessor: preprocessor frag2 Usually preprocessors also accept parameters to configure different options for the preprocessors. These parameters are usually optional. Mandatory parameters will be specified explicitly in this text. Widely used preprocessors are discussed next. You can write your own preprocessors. The information is available in README.PLUGINS in the doc directory of Snort source code. You can also find sam- ple code in the templates directory of the source code tree.

4.1.1 HTTP Decode

The Hyper Text Transfer Protocol HTTP allows intrusion detection systems to use hexadecimal characters in URI to defeat known attacks. For example, this can be done by inserting something like 3A2F2F in the URI to replace : characters. The HTTP decode preprocessor normalizes the HTTP requests so that they can be processed properly by the detection engine. You can use a list of ports used by HTTP servers or proxy servers as an argument to the preprocessor. The following line in the configura- tion file will apply HTTP decode for packets coming to ports 80, 8080, 443. preprocessor http_decode: 80 8080 443 A large number of attacks on web servers are carried by obfuscating URI charac- ters using hexadecimal numbers in the URI. The HTTP decode blocks any such attempts by converting them to the actual URI. For example, if you have written a Snort