Tuning the Preprocessors

If you are still dropping packets at this point you will have to make some configuration changes to the preprocessors. The first and most important task to perform when tuning the preprocessors is to ensure that you have sufficient memory allocated for the preprocessors. Without the correct memory reserved, certain preprocessors can be placed in a situation where they are not processing every packet that Snort sniffs. This is functionally equivalent to the preprocessor being disabled for a percentage of the time. Attacks that need a preprocessor to be discovered could easily slip by. This is worsened by attacks that span many packets: If a preprocessor does not have enough memory to normalize one packet out of a range ...

Get Intrusion Detection with Snort now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.