Each of the network layer preprocessors (frag3 and stream5) make use of the respective FRAG_POLICY and STREAM_POLICY in terms of how data is handled for reassembly for packets being received by that host.
The application layer preprocessors (HTTP, SMTP, FTP, Telnet, etc) make use of the SERVICE information for connections destined to that host on that port.
For example, even if the telnet portion of the FTP/Telnet preprocessor is only configured to inspect port 23, Snort will inspect packets for a connection to 192.168.1.234 port 2300 as telnet.
Conversely, if, for example, HTTP Inspect is configured to inspect traffic on port 2300, HTTP Inspect will NOT process the packets on a connection to 192.168.1.234 port 2300 because it is identified as telnet.
Below is a list of the common services used by Snort's application layer preprocessors and Snort rules (see below).
| http | ftp | ftp-data | telnet | smtp | ssh | tftp |
| dcerpc | netbios-dgm | netbios-ns | netbios-ssn | nntp | finger | sunrpc |
| dns | isakmp | mysql | oracle | cvs | shell | x11 |
| imap | pop2 | pop3 | snmp |