Snort mailing list archives
Re: how to start to read the snort source code
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 03 Feb 2004 19:41:44 -0500
At 07:12 PM 2/3/2004, Tao Peng wrote:
I am a rookie to snort. I intend to understand the snort source code. Can anyone tell me what shall I start with. For example, how to understand the structure of snort. what function of each source code provides? any documents or other information is highly appreciated!
DISCLAIMER: I'm not a snort devel, so I'm largely talking from a limited understanding of this stuff. I'm also looking at a 2.0.5 source tree at the moment (it's what I have laying around on my windows box)
Most of the "top level" stuff should be obvious if you're fairly familiar with C programming and normal snort usage/configuration.
However you'll probably need to get a good understanding of how the guts of snort really work in an abstract way before looking at the code.
I'd suggest reading some of sourcefire's whitepapers on the snort guts for starters:
http://www.sourcefire.com/technology/whitepapers.html Although dated, the original snort paper that Marty put out is good: http://www.snort.org/docs/lisapaper.txtAs for the source itself, most of the files are pretty clearly named and/or commented, at least well enough to get started.
ie: looking at the comments on the top of mpse.c, it states it's " An abstracted interface to the Multi-Pattern Matching routines", so probably stands for "Multi Pattern Search Engine". The rest of the file is not commented very much (in 2.0.5), but it's basic functionality is apparent.
In general, most of the basic "core" snort functionality is implemented by the files right in the src directory.
src/parser contains some tools for parsing rule files src/preprocessors contains packet preprocessors like http_decode, stream4, etcsrc/detection-plugins contains code that does the grunt work of seeing if a packet matches certain parts of the rule trees. This is where dsize checks, etc are done.
src/output-plugins contains logging and other output modules src/win32 contains win32 specific add-ons to the code. ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- how to start to read the snort source code Tao Peng (Feb 03)
- Message not available
- Re: how to start to read the snort source code Matt Kettler (Feb 03)
- Message not available