The Snort preprocessors have changed a lot in recent versions. Old, standby preprocessors (like portscan2) are gone, replaced with new methods born out of development work by the open source community and the commercial incarnation of Snort from Sourcefire. It seems that the code for some of these deprecated preprocessors is still there—you could still use some of the old functionality if that is what you are used to. We won't talk about it here, however.
The preprocessors serve a few purposes. They normalize traffic for a variety of services, ensuring that the data in the packets Snort is watching will have the best chance of being in a format that the signatures will recognize. Another function of the preprocessors is self-defense. A variety of attacks have been developed that are designed to confuse or overwhelm an NIDS sensor, so an attacker can do her work unnoticed. The frag2 and stream4 preprocessors are primarily defense mechanisms.
The final benefit provided by the preprocessors is that they extend Snort's ability to detect network anomalies that may be signs of intrusion—not just notice things that are contained in the rule sets. Apart from just the raw performance that Snort offers, the preprocessors serve to differentiate Snort from other NIDS solutions on the market today.
The flow preprocessor is going to be the central storehouse for state keeping in Snort. Right now, there is only one module for flow: flow-portscan (see below). flow ...