Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort architecture- How Detection Engine works?

From: Yasir Abbas <syabbast () yahoo com>
Date: Sun, 30 Jun 2002 23:06:40 -0700 (PDT)
Umm! And I thought that all Snort rules are checked
for a packet, without any depth, ie, something like:
"IF this rule is true, then check for this rule, else
not" does not take place, instead all rules are
checked with AND within the rule itself, and OR
between different rules; except activate of course,
but that too activates other rules not for the same
packet, but for the fortcoming packets. So I was
wrong??

- yasir

--- Daniel Lopez <dlopez () tct hut fi> wrote:

Hello,

I would like to understand how the Detection Engine
works.

I could read in the Snort Users Manual that
currently, four protocols
were analyzed for suspicious behavior: TCP, UDP,
ICMP and IP. I also
read that the detection engine uses a
three-dimensional linked list for
the rule matching and thus, for each protocol, a
separate
three-dimensional linked list was created, is it
right?

When a packet arrives to the detection engine,
depending on the
protocol, it will be sent to the correct rule tree,
then compared
against each Rule Tree Node (RTN) from the left to
the right of the rule
tree. When a match is found, it is compared against
each Option Tree
Node (OTN), and again, until a match is found. Still
right?

However, an IP packet can contain a TCP or an UDP
packet. Does it mean
that if I have IP rules and TCP rules, the packet
will be first checked
against the RTNs and the OTNs of the Ip rule tree,
and then, against the
RTNs and OTNs of the TCP rule tree?

How does this work?
Thanks! :)

Daniel Lopez





-------------------------------------------------------

This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or
unsubscribe:


https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:


http://www.geocrawler.com/redir-sf.php3?list=snort-users


__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: