What is the difference between signature detection and rule based heuristic identification?

Reassembling Packets

Signature-based detection matches well-defined patterns against the data in each packet, one at a time. It can't look at data across packets without help. By reassembling fragments into full packets with frag2, you can make sure that an attack doesn't successfully use fragmentation to evade detection. By reassembling each stream into one or more pseudo-packets with stream4, you attempt to ensure that the single-packet signature mechanism is able to match patterns across multiple packets in a TCP session. Finally, by adding state-keeping with stream4, you give this signature-matching some intelligence about which packets can be ignored and where a packet is in the connection. Packet reassembly preprocessors help to ensure that Snort detects attacks, even when the data to be matched is split across several packets.

Decoding Protocols

Rule-based detection generally gives you simple string/byte-matching against the data within a packet. It can't handle all the different versions of a URL in HTTP data without help, or at least without countably infinite rulesets. The http_decode preprocessor gives Snort the ability to canonicalize URLs before trying to match patterns against them. Straight rule-matching can also be foiled by protocol-based data inserted in the middle of data that would otherwise match a pattern. Both the rpc_decode and telnet_negotiation preprocessors remove data that could be extraneous to the pattern-matcher. The rpc_decode preprocessor consolidates all of the message fragments of a single RPC message into one fragment. The telnet_negotiation preprocessor removes Telnet negotiation sequences. Protocol-decoding preprocessors make string-matching possible primarily by forcing packet data into something less ambiguous, so that it can be more easily matched.

Nonrule or Anomaly-Based Detection

Rule-based detection performs well because of its simplicity. It's very deterministic, making it easy to tune for fewer false positives. It's also easy to optimize. However, there are functions that just can't be achieved under that model. Snort has gained protocol anomaly detection, but even this isn't enough to detect some types of attack. The portscan preprocessor allows Snort to keep track of the number of scan-style packets that it has received over a set time period, alerting when this number exceeds a threshold. The Back Orifice preprocessor allows Snort to detect encrypted Back Orifice traffic without creating a huge ruleset.

This third class of preprocessors expands Snort's detection model without completely redesigning it—Snort can gain any detection method flexibly. Preprocessors specifically, and plug-ins in general, give Snort the capability to be more than an IDS. They give it the capability to be an extensible intrusion detection framework onto which most any detection method can be built. Less spectacularly, they give Snort the capability to detect things for which there isn't yet a rule directive. For example, if you needed to have a rule that detected the word Marty being present in a packet between three and eight times (no more, no less), you'd probably need a preprocessor—Snort's rules language is flexible, but not quite that flexible. More usefully, what if you needed to detect a backdoor mechanism only identifiable by the fact that a single host sends your host/network UDP packets whose source and destination port consistently sum to the fixed number 777? (Note: this is a real tool.)

Without going quite that far, let's explore how a preprocessor is built.

Setting Up My Preprocessor

Every preprocessor is built from a common template, found in the Snort source code's templates/ directory. As you consider the Snort code, you should consider the following filename convention. We'll talk about the snort/ directory—this is the main directory you get when you expand the Snort source tarball or zipfile. Its contents look like this:

[[email protected] snort]$dollar; ls

acconfig.h config.h.in contribinstall-shmissing src

aclocal.m4 config.sub COPYINGLICENSE mkinstalldirsstamp-h.in

ChangeLog configuredoc Makefile.amrules templates

config.guess configure.in etc Makefile.insnort.8

The templates directory contains two sets of plug-in templates—to build a preprocessor plug-in, we want the spp_template.c and spp_template.h files.

[[email protected] snort]$dollar; ls templates/

Makefile.am spp_template.c sp_template.c

Makefile.in spp_template.h sp_template.h

You should take a look at these template files as you consider the Telnet negotiation preprocessor. This preprocessor is with the others in the snort/src/preprocessors directory.

[[email protected] preprocessors]$dollar; ls

Makefile.am spp_fnord.c spp_portscan2.h

Makefile.inspp_fnord.h spp_portscan.c

spp_arpspoof.c spp_frag2.c spp_portscan.h

spp_arpspoof.h spp_frag2.h spp_rpc_decode.c

spp_asn1.c #spp_http_decode.c#spp_rpc_decode.h

spp_asn1.h spp_http_decode.c spp_stream4.c

spp_bo.c spp_http_decode.h spp_stream4.h

spp_bo.h spp_perfmonitor.c spp_telnet_negotiation.c

spp_conversation.c spp_perfmonitor.h spp_telnet_negotiation.h

spp_conversation.h spp_portscan2.c

In the rest of this section, we'll explore the code in the file spp_telnet_negotiation.c, making references to the matching spp_telnet_negotiation.h header file as necessary. Remember, this book refers to the production Snort 2.0.0 code, which you can find on the CD accompanying this book. Let's start looking at this code:

/* Snort Preprocessor for Telnet Negotiation Normalization*/

/* $dollar;Id: spp_telnet_negotiation.c,v 1.14.2.1 2002/11/02 21:46:14 chrisgreen

Exp $dollar; */

/* spp_telnet_negotiation.c

*

* Purpose: Telnet and FTP sessions can contain telnet negotiation strings

* that can disrupt pattern matching. This plugin detects

* negotiation strings in stream and “normalizes” them much like

* the http_decode preprocessor normalizes encoded URLs

*

* Arguments: None

* Effect: The telnet nogiation data is removed from the payload

*

* Comments:

*

*/

The preprocessor starts out simply describing what its purpose is and how it can be called. You'll notice as we read through the code that the “Arguments” description in the previous comments is inaccurate—the code takes a space-delimited list of ports as an argument.

Before we continue reading code, we should talk about this preprocessor's purpose, so you understand what the code is doing. The best way to understand this thoroughly is to read the Requests for Comments (RFC) document describing the Telnet protocol.

OINK!

The Telnet protocol is described in detail in RFC 854, available via www.faqs.org/rfcs/rfc854.html. For even more comprehensive and easier-to-follow coverage, consider W Richard Stevens' TCP/IP Illustrated Volume 1. This is an essential and standard reference for understanding TCP/IP protocol implementations.

Telnet's creators knew that it would need to function between many devices, potentially with somewhat different levels of intelligence and flexibility. To this end, the Telnet protocol defines a Network Virtual Terminal (NVT), a “minimal” concept to which Telnet implementers could tailor their code. The protocol allows two NVTs to communicate to each other what options (extra features) they might or might not support. They communicate with escape sequences, which start with a special Interpret as Command (IAC) character. Following this character is a single-byte number, which codes a command. The command sent is usually a request that the other side activate/deactivate an option, if available, a request for permission to use an option, or an answer to a previous request from the other side. Most of these sequences, then, are three characters long, like this fictional one:

The protocol also allows for deleting the previous character sent via the Erase Character (EC) command and erasing the last line sent via the Erase Line (EL) command, both of which need to be accounted for in the preprocessor. It also allows for a No Operation (NOP) command, which tells it to do nothing—it's not clear why this is included in the protocol. Finally, it allows for complex negotiation of parameters of the options via a “subnegotiation” stream of characters, initiated with a Subnegotiation Begin (SB) character, followed by the option that it references, and terminated by a Subnegotiation End (SE) character. Such a sequence might look like this:

There's more to Telnet than this, but this is enough to read and understand the preprocessor code. Let's get into that code now.

What Am I Given by Snort?

We'll now take an in-depth look at the preprocessor's code, exploring what each line of the code does. Commentary follows the lines of code lines that it references. If your C skills are rusty, don't worry—you'll probably find this discussion quite understandable. The Telnet negotiation preprocessor is one of the simplest preprocessors. Let's take a look at it together.

/* your preprocessor header file goes here */

#include <sys/types.h>

#ifdef HAVE_STRINGS_H

#include <strings.h>

#endif

The preceding lines just import standard C header files.

#include “decode.h”

#include “plugbase.h”

#include “parser.h”

#include “log.h”

#include “debug.h”

#include “util.h”

#include “mstring.h”

#include “snort.h”

The preceding lines import Snort's function prototypes, constants, and data structures, so that this plug-in can reference them. The plugbase.h header file, in particular, contains prototypes for the important functions that every preprocessor plug-in must call. Table 6.2 lists the other header files with their corresponding functions.

Table 6.2. Header Files and Their Corresponding Functions

While not all of the header file listed in Table 6.2 are necessary, they've probably been included to keep things simple and maintainable for the programmer.

/* external globals from rules.c */

extern char *file_name;

extern int file_line;

The previous three lines are also standard—they allow the preprocessor to describe where its configuration directives came from. An example would be “line 43 of the snort.conf file.”

extern u_int8_t DecodeBuffer[DECODE_BLEN]; /* decode.c */

As of Snort 1.9.1, this function is specific to the telnet_negotiation preprocessor. The preprocessor prunes negotiation code by copying all non-negotiation data from the packet it's examining into a globally available DecodeBuffer. It then signals that the packet has an alternate form, allowing the detection engine to look at either form of the packet data, based on whether the rules it evaluates specify “rawbytes.” Oddly, even though rawbytes sounds like a more general option, it's implemented strictly for the benefit of Telnet.

OINK!

Rawbytes signals that the rule should look at the non-negotiation-modified version of the Telnet packet.

/* define the telnet negotiation codes (TNC) that we're interested in */

#define TNC_IAC 0xFF

#define TNC_EAC 0xF7

#define TNC_SB 0xFA

#define TNC_NOP 0xF1

#define TNC_SE 0xF0

#define TNC_STD_LENGTH 3

The first five constants define the numerical versions of the codes that we explored earlier. The last constant simply codifies the fact that any negotiation sequences are at least three characters long.

/* list of function prototypes for this preprocessor */

extern void TelNegInit(u_char *);

As we'll explore soon, the TelNegInit() function initializes the preprocessor when Snort first starts. It calls a function to parse the preprocessors arguments from the snort.conf file and adds the main work function (NormalizeTelnet()) to the list of preprocessors called to examine every packet. Every preprocessor must have one of these functions to perform these two tasks. It must also have a Setup function to link this one to the Snort codebase—we'll explore SetupTelNeg() soon.

extern void NormalizeTelnet(Packet *);

As we'll explore later, this function performs the real task of the preprocessor. The previously discussed Init function will register this with Snort's main preprocessor engine.

static void SetTelnetPorts(char *portlist);

This function parses the Telnet negotiation preprocessor's arguments and is called by TelNegInit(). It parses a simple port list into a data structure that NormalizeTelnet() can reference before trying to work on a packet.

/* array containing info about which ports we care about */

static char TelnetDecodePorts[65536/8];

This array stores the TCP ports that the preprocessor will be paying attention to. Notice that it stores this via a single bit for every port between 0 and 65,536, not a byte.

/*

* Function: SetupTelNeg()

*

* Purpose: Registers the preprocessor keyword and initialization

* function into the preprocessor list.

*

* Arguments: None.

*

* Returns: void function

*

*/

void SetupTelNeg()

{

/* Telnet negotiation has many names, but we only implement this

* plugin for Bob Graham's benefit…

*/

RegisterPreprocessor(“telnet_decode”, TelNegInit);

DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, “Preprocessor: Telnet Decode

Decode is setup…\n”););

}

SetupTelNeg() links this preprocessor to the Snort code by registering its rules file keyword telnet_decode with its initiation function, TelNegInit(). The obvious reason for this registration is so that the initialization code isn't called if the keyword referring to the preprocessor isn't present in Snort's configuration file. This registration takes place via the RegisterPreprocessor() function from plugbase.c.

This is the first function in the preprocessor that Snort calls. It is called from plugbase.c, to which we must add it by hand. This process, which we'll describe after explaining this code, is also outlined in snort/doc/README.PLUGINS.

/*

* Function: TelNegInit(u_char *)

*

* Purpose: Calls the argument parsing function, performs

* final setup on data structs, links the preproc function

* into the function list.

*

* Arguments: args => ptr to argument string

*

* Returns: void function

*

*/

void TelNegInit(u_char *args)

{

DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, “Preprocessor: TelNegInitialized\n”););

SetTelnetPorts(args);

/* Set the preprocessor function into the function list */

AddFuncToPreprocList(NormalizeTelnet);

}

This function is called by Snort early in its run, as it parses the Snort rules file. It is a standard preprocessor Init() function, which is always registered by the preprocessor's Setup() function. The purpose of this function is to call an argument-parser and to add the preprocessor's main function to the preprocessor function list. Remember, a packet entering Snort goes through the decoder to be parsed, then each of the preprocessors in order, and then finally goes to the detection engine. AddFuncToPreprocList(), from plugbase.c, adds our preprocessor's main function to the linked list of preprocessor functions.

/*

* Function: PreprocFunction(Packet *)

*

* Purpose: Perform the preprocessor' s intended function. This can be

* simple (statistics collection) or complex (IP defragmentation)

* as you like. Try not to destroy the performance of the whole

* system by trying to do too much….

*

* Arguments: p => pointer to the current packet data struct

*

* Returns: void function

*

*/

void NormalizeTelnet(Packet *p)

{

This is the real workhorse of the preprocessor. In essence, this is the function for which SetupTelNeg() and InitTelNeg() exist to provide to Snort. This structure of functions is standard, as you'll note when reading the other preprocessors and the preprocessor template.

The function starts out receiving a simple pointer to the packet currently being considered. (You can find the structure definition for Packet in snort/src/decode.h.) Let's look at the variables that it defines.

char *read_ptr;

char *start = (char *) DecodeBuffer; /* decode.c */

char *write_ptr

char *end;

int normalization_required = 0

▪

read_ptr points to the current byte being considered in the incoming packet data.

start points to the beginning of the destination buffer (DecodeBuffer).

write_ptr points to the current position to which we're writing in DecodeBuffer.

end points to the end of the incoming packet data.

normalization_required tells us whether we need to normalize this packet.

/* check for TCP traffic that's part of an established session */

if(!PacketIsTCP(p))

{

return;

}

Like every preprocessor function, this one must decide whether it should even be looking at this packet. If the packet isn't a TCP packet, the preprocessor needs to exit.

/* check the port list */

if(!(TelnetDecodePorts[(p->dp/8)] & (1<<(p->dp%8))))

{

return

}

p->dp is the packet's destination port. If this port was not among those that this preprocessor should affect, we need to exit.

Again, note that the port is being checked in this array using a bitwise check. For example, if dp=14, then p->dp/8 will be 1, thus referring to the second byte in the array. 1<<(p->dp%8) means “shift the binary number 00000001 by the remainder of dp/8.” 14%8 is 6, so 1<<(p->dp%8) is, in binary, 0100 0000. By AND-ing the second byte in the array with this number, we get the status of the sixth byte.

/* negotiation strings are at least 3 bytes long */

if(p->dsize < TNC_STD_LENGTH)

{

return;

}

Finally, we're looking at something specific to the Telnet protocol. This if statement just says that, since any Telnet negotiation sequence must be at least 3 bytes long, it doesn't need to see any packet whose data is less than 3 bytes.

/* setup the pointers */

read_ptr = p->data;

end = p->data + p->dsize;

This sets our start and end points on the incoming packet data:

/* look to see if we have any telnet negotiaion codes in the payload */

while(!normalization_required && (read_ptr++ < end))

{

/* look for the start of a negotiation string */

if(*read_ptr == (char) TNC_IAC)

{

/* set a flag for stage 2 normalization */

normalization_required = 1;

}

}

This code runs through the incoming packet data looking for the start of a Telnet negotiation code sequence. This code doesn't perform any modifications—it's just here to quickly determine if the packet will need normalization. As soon as it finds a single IAC character, it flags that normalization is required and halts.

/*

* if we found telnet negotiation strings OR backspace characters,

* we're going to have to normalize the data

*

* Note that this is always (now: 2002-08-12) done to a

* alternative data buffer.

*/

\n

if(normalization_required)

{

If we found an IAC character, then this routine normalizes the data:

/* rewind the data stream to p->data */

read_ptr = p->data;

/* setup for overwriting the negotaiation strings with

* the follow-on data

*/

write_ptr = (char *) DecodeBuffer;

We set the read_ptr to the beginning of the incoming packet data, and the write_ptr to the start of the output buffer. Remember, DecodeBuffer is a global variable that the detection engine will look in for our alternative version of the packet.

/* walk thru the remainder of the packet */

while((read_ptr < end) && (write_ptr < ((char *) DecodeBuffer) +DECODE_BLEN))

{

DECODE_BLEN is the constant length of the DecodeBuffer. The while loop allows us to copy data from the packet data to the DecodeBuffer, skipping negotiation sequences.

/* if the following byte isn't a subnegotiation initialization*/

if(((read_ptr + 1) < end) &&

(*read_ptr == (char) TNC_IAC) &&

(*(read_ptr + 1) != (char) TNC_SB))

{

This code looks for negotiation sequences (initiated by IAC) and skips the read_ptr forward the appropriate number of bytes. Remember, skipping read_ptr forward without doing a copy ensures that the skipped data doesn't make it into DecodeBuffer. Note that this code doesn't want to handle the suboption negotiation case; hence, its decision not to branch if the second byte in the sequence is a Subnegotiation Begin (TNC_SB) character.

/* NOPs are two bytes long */

switch(* ((unsigned char *)(read_ptr + 1)))

{

case TNC_NOP:

read_ptr += 2;

break;

If the sequence is just an IAC, NOP, then it's only two characters long.

case TNC_EAC:

read_ptr += 2;

/* wind it back a character */

if(write_ptr > start)

{

write_ptr—;

}

break;

EAC is a backspace. When we see one, we skip the two characters of negotiation (IAC, EAC), but also decrement write_ptr, so that the byte that was at write_ptr is overwritten on our next character write.

default:

/* move the read ptr up 3 bytes */

read_ptr += TNC_STD_LENGTH;

}

In all other non-subnegotiation cases, we need to skip exactly three characters.

}

/* check for subnegotiation */

else if(*(read_ptr+1) == (char) TNC_SB)

{

/* move to the end of the subneg */

do

{

read_ptr++;

} while((*read_ptr != (char) TNC_SE) && (read_ptr < end));

Remember that our last if branch refused to handle subnegotiation. This one handles them—it simply moves the read_ptr forward until it gets past the terminating Subnegotiation End (SE) character, thus omitting the entire sequence from DecodeBuffer.

}

else

{

DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, “overwriting %2X(%c)with %2X(%c)\n”,

(char)(*write_ptr&0xFF), *write_ptr,

(char)(*read_ptr & 0xFF), *read_ptr););

/* overwrite the negotiation bytes with the follow-onbytes */

*write_ptr++ = *read_ptr++;

}

This is the case where we weren't at the start of a negotiation code. We just copy another character from the packet data to DecodeBuffer.

}

p->packet_flags |= PKT_ALT_DECODE;

p->alt_dsize = write_ptr - start;

The code now sets two variables on the original packet's data structure. The first tells the detection engine that the telnet_negotiation preprocessor has created a second, altered version of the packet data by using a bitwise-OR to set a Snort internal packet flag. Don't worry; this is changing data that Snort keeps on the packet, not in the original data collected from the packet. The second variable stores the length of the data placed in DecodeBuffer.

DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN,

“Converted buffer after telnet normalization:\n”);

PrintNetData(stdout, (char *) DecodeBuffer, p->alt_dsize););

DebugMessage() now logs the results of the telnet_negotiation preprocessor's handiwork. If Snort is at the appropriate level of debug, this will come out.

}

}

Now, for the sake of brevity, we're not going to explain the argument-parsing function much. This function, as is standard with most of the preprocessors, is a mostly optional routine called by the preprocessor Init() function, which is InitTelNeg() in this case.

/*

* Function: SetTelnetPorts(char *)

*

* Purpose: Reads the list of port numbers from the argument string and

* parses them into the port list data struct

*

* Arguments: portlist => argument list

*

* Returns: void function

*

*/

static void SetTelnetPorts(char *portlist)

{

char portstr[STD_BUF];

char **toks;

int is_reset = 0;

int num_toks = 0;

int num = 0;

if(portlist == NULL || *portlist == ‘\0’)

{

portlist = “21 23 25 119”;

}

If this function does not get a list of ports in the Snort configuration file, it chooses ports 21, 23, 25, and 119.

/* tokenize the argument list */

toks = mSplit(portlist, “ ”, 31, &num_toks, ‘\\rsquo;);

mSplit is one of the functions in mstring.c, Snort's string-handling functions.

LogMessage(“telnet_decode arguments:\n”);

/* convert the tokens and place them into the port list */

for(num = 0; num < num_toks; num++)

{

if(isdigit((int)toks[num][0]))

{

char *num_p = NULL; /* used to determine last position instring */

long t_num;

t_num = strtol(toks[num], &num_p, 10);

if(*num_p != ‘\0’)

{

FatalError(“ERROR => Port Number invalid format: %s\n”, toks[num]);

}

else if(t_num < 0 || t_num > 65335)

{

FatalError(“ERROR => Port Number out of range: %ld\n”, t_num);

}

/* user specified a legal port number and it should override the

default */

port list, so reset it unless already done */

if(!is_reset)

{

bzero(&TelnetDecodePorts, sizeof(TelnetDecodePorts));

portstr[0] = ‘\0’;

is_reset = 1;

}

/* mark this port as being interesting using some

portscan2-type voodoo, and also add it to the port

list string while we're at it so we can later

print out all the ports with a single LogMessage() */

TelnetDecodePorts[(t_num/8)] |= 1<<(t_num%8);

strlcat(portstr, toks[num], STD_BUF − 1);

strlcat(portstr, “ ”, STD_BUF − 1);

}

else

{

FatalError(“ERROR %s(%d) => Unknown argument to telnet_decode”

“preprocessor: \”%s\“\n”,

file_name, file_line, toks[num]);

}

}

/* print out final port list */

LogMessage(“ Ports to decode telnet on: %s\n”, portstr);

}

As promised, this function was fairly simple.

Adding the Preprocessor into Snort

Snort's plug-ins are linked into it in a fairly static way. In essence, you need to do the following to link in a new plug-in:

Insert an include directive in plugbase.c for your plug-ins header file.

Insert a call to your plug-ins Setup() function in plugbase.c's InitPreprocessors().

Add your plug-ins code and header file to the preprocessors/Makefile.am.

Let's practice doing this for the telnet_negotiation preprocessor, as if it hadn't been done yet. First, we need to add our telnet_negotiation.h header file into plugbase.c. Here's the relevant portion of plugbase.c:

#include “detect.h“

/* built-in preprocessors */

#include “preprocessors/spp_http_decode.h”

#include “preprocessors/spp_portscan.h”

#include “preprocessors/spp_rpc_decode.h”

#include “preprocessors/spp_bo.h”

#include “preprocessors/spp_stream4.h”

#include “preprocessors/spp_frag2.h”

#include “preprocessors/spp_arpspoof.h”

#include “preprocessors/spp_asn1.h”

#include “preprocessors/spp_fnord.h”

#include “preprocessors/spp_conversation.h”

#include “preprocessors/spp_portscan2.h”

We can just add a single line to the end of this list:

#include “preprocessors/spp_telnet_negotiation.h”

Second, let's insert our Setup() function into plugbase.c, so that our plug-in has a chance to register itself. We're adding this call to InitPreprocessors():

void InitPreprocessors()

{

if(!pv.quiet_flag)

{

printf(“Initializing Preprocessors!\n”);

{

SetupHttpDecode();

SetupPortscan();

SetupPortscanIgnoreHosts();

SetupRpcDecode();

SetupBo();

SetupStream4()

SetupFrag2();

SetupARPspoof();

SetupASN1Decode();

SetupFnord();

SetupConv();

SetupScan2();

}

Now we can add the Telnet negotiation plug-ins Setup() function, called SetupTelNeg():

SetupTelNeg();

Finally, we need only add our preprocessor's source files to:

snort/src/preprocessors/Makefile.am:

libspp_a_SOURCES = spp_arpspoof.c spp_arpspoof.h spp_bo.c spp_bo.h \

spp_frag2.c spp_frag2.h spp_http_decode.c spp_http_decode.h \

spp_portscan.c spp_portscan.h spp_rpc_decode.c spp_rpc_decode.h \

spp_stream4.c spp_stream4.h spp asn1.c spp_asn1.h spp_fnord.c spp_\

fnord.h spp_conversation.c spp_conversation.h spp_portscan2.c spp_\

portscan2.h spp_perfmonitor.c spp_perfmonitor.h

We can add our Telnet negotiation preprocessor like so:

libspp_a_SOURCES = spp_arpspoof.c spp_arpspoof.h spp_bo.c spp_bo.h \

spp_frag2.c spp_frag2.h spp_http_decode.c spp_http_decode.h \

spp_portscan.c spp_portscan.h spp_rpc_decode.c spp_rpc_decode.h \

spp_stream4.c spp_stream4.h spp asn1.c spp_asn1.h spp_fnord.c spp_\

fnord.h spp_conversation.c spp_conversation.h spp_portscan2.c spp_\

portscan2.h spp_perfmonitor.c spp_perfmonitor.h spp_telnet_negotiation.c \

spp_telnet_negotiation.h

That's all there is to it—adding a Snort preprocessor is pretty easy!