Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rule based vs. Signature based detection engine

From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 21 Jul 2004 01:03:49 -0400
At 10:50 PM 7/20/2004, Tom Fulton wrote:
The Snort 2.0 book by Jay Beale, et. al., (p. 142) explains that Snort is rules-based, "which collects and correlates packets based on rules" and that this is better than a signature engine which is nothing more than a "definition of an attack". Can anyone expand on this clarification? I'm under the impression that a rule in a *.rules file is basically a "signature". Do you think Jay is referring to the ability to have pre-processor plug-ins that can normalize data before running against the signatures (sorry, I mean rules)? Aren't they basically the same thing when it comes right down to it?
I think the comparison here is between something purely text-match-only as being a "signature" but snort rules are multi-conditioned, and can have data-dependant byte jumps, etc. 



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: