Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Analysis done by Snort

From: Ashley Thomas <athomas () unity ncsu edu>
Date: Wed, 26 Sep 2001 22:11:08 -0400
Hi,

I have a doubt regarding how snort does the analysis.
When Snort starts it reads all the rules from the snort.conf file which
we specify using -c option.

Then when ever a new packet arrives, depending on what protocol it is,
different rules are applied to it to
see if there is a match.
ie if the packet belongs to ftp then ftp.rules are applied to it.
if it is a telnet packet, then telnet.rules is applied.

Similarly scan rules would be applied when ever we get 'tcp syn'
packets.

Is it how snort does it ? Please correct me if i have understood it
wrong.
Also please point out if there is any place where i can read on how
snort does the analysis.

thanks a lot
Ashley



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: