Re: Technically speaking

[Matt Kettler <mkettler () evi-inc com>]

At 07:10 AM 3/31/2004, G DINESH wrote:
> hi i m dinesh,

<snip>

> I m not able to make up which file
> takes up the rules and constructs the tree, and checks
> the validation of the rules.
> are separate trees constructed for TCP,UDP,ICMP?
> how is the matching done ?
>
> Do u have any simple solution for me.

Simple? No.. snort isn't simple, but I can give you some direction.

Disclaimer: I'm NOT a snort devel, and am only very casualy familiar with 
the snort code from a short amount of time spent skimming it.


I'd suggest first reading through parser.c. That is what builds the trees 
from the rules in the first place.

Then got to detect.c and find the function:
        int Detect(Packet * p)

The detection process will eventually wind up calling many functions 
contained in the various files of the detection-plugins subdir. These 
functions do a lot of the "grunt work" of detecting a match between a 
packet and a given node.



> One more thing i would like to ask is abt the LOGO of
> snort.Why the name "snort" and
> logo=pig  ????????????????!!!!

Because there are two sounds a pig makes commonly referred to in English.. 
they squeal, and they snort.



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users