Snort architecture- How Detection Engine works?

["Daniel Lopez" <dlopez () tct hut fi>]

Hello,

I would like to understand how the Detection Engine works.

I could read in the Snort Users Manual that currently, four protocols
were analyzed for suspicious behavior: TCP, UDP, ICMP and IP. I also
read that the detection engine uses a three-dimensional linked list for
the rule matching and thus, for each protocol, a separate
three-dimensional linked list was created, is it right?

When a packet arrives to the detection engine, depending on the
protocol, it will be sent to the correct rule tree, then compared
against each Rule Tree Node (RTN) from the left to the right of the rule
tree. When a match is found, it is compared against each Option Tree
Node (OTN), and again, until a match is found. Still right?

However, an IP packet can contain a TCP or an UDP packet. Does it mean
that if I have IP rules and TCP rules, the packet will be first checked
against the RTNs and the OTNs of the Ip rule tree, and then, against the
RTNs and OTNs of the TCP rule tree?

How does this work?
Thanks! :)

Daniel Lopez



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users