Theoretical questions about snort

[mosquitooth () gmx net]

Dear Snort- Users,

I'm quite new to snort but nevertheless very enthusiastic about it. What
strikes me most is the enormous speed of snort (able to scan a 150MBit line
with nearly no packet loss)!
I'd even like to contribute to snort (in programming some code), but for a
snort- newbie starting is difficult. The source code contains only a few
information about what's going on - so, is there a white paper (or a book)
out there, that covers especially the internal programming and behaviour of
snort?
What I think is especially odd, is the enormous speed. When I imagine my
code walking down a linked list of e.g. 2500 rules for EACH PACKET - this
would end really s l o w . . .
So, how is it done? How is Snort able to check for so many rules per packet
in such a small time? Is there any trick behind it?

Thanks a lot and merry christmas

Peter

-- 
Psssst! Mit GMX Handyrechnung senken: http://www.gmx.net/de/go/mail
100 FreeSMS/Monat (GMX TopMail), 50 (GMX ProMail), 10 (GMX FreeMail)


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users