NAP or network analysis policy process packet in a phased manner where it does the following functions
It first decodes the packet and converts the packet header and payload into a format that can be used by the snort pre-processors which is later used by IPS policy. NAP detects various anomalous behavior in the packet headers.
Next is normalization pre-processor where the packet is normalized to minimize the chances of attackers evading detection and later the packet is sent to IPS policy for inspection.
Then pre-processing where various network and transport layers preprocessors detect attacks that exploit IP fragmentation, perform checksum validation, and perform TCP and UDP session preprocessing.
