Re: snort 2.9.x.x software flow chart

[waldo kitty <wkitty42 () windstream net>]

On 4/4/2013 10:59, Lawrence R. Hughes,Sr. wrote:
> Waldo Kitty,
>
> Thanks for the reply.. Software flow from internet would be great..

here are a couple of possible answers...

http://stackoverflow.com/questions/7962791/i-want-to-know-full-flow-of-how-snort-processes-a-packet


figure 6 in the below old (2004) pdf concerning snort 2.4 might help... not sure 
how far off the mark it may be with today's 2.9 version of snort...

http://www.princeton.edu/~soumyas/papers/bell_labs_report_snort.pdf


there's also the below from 5 Sep 2012 in this list...

http://comments.gmane.org/gmane.comp.security.ids.snort.general/37619


i can't get to seclists.org or insecure.org right now... but there are a few 
links pointing to them as well... oh, wait... they are point to the above 
discussion i linked to on gmane...


here's a little something from the father of snort, martin roesch...

http://securitysauce.blogspot.com/2007/11/snort-30-architecture-series-part-1.html


dunno if these are what you may be looking for or not... they are what i found 
from uncle google in a few minutes and using a couple of different search term 
phrases... "snort process flow", "snort packet diagram flow", "snort 
architecture diagram"... each without the quotes of course ;)



> Thanks,
> Larry
>
> -----Original Message-----
> From: waldo kitty
> Sent: Wednesday, April 03, 2013 6:43 PM
> To: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] snort 2.9.x.x software flow chart
>
> On 4/3/2013 13:28, Lawrence R. Hughes,Sr. wrote:
> > Hi,
> > I am looking for a software flowchart for snort2.9.x.x
> > Anyone know where I can find a copy?
>
> are you speaking of the internet to snort flow or a flow chart for
> installation
> or something else?
>
> > Also, What program handles the capture point (where packets are deemed not
> > to be
> > a threat and are allowed to pass)?
>
> there are two options, if i'm understanding your question...
>
> the first option is snort in inline mode with DROP rules... in this mode,
> the
> traffic comes in on one interface to snort, gets processed, and then if it
> passes, snort feeds it out on another interface to the rest of the network
> being
> protected... if snort determines that it is unwanted traffic, then snort
> DROPs
> the traffic and doesn't pass it on inward...
>
> the second option is to use some software that monitors the alert file or
> the
> alerts being posted to the database... there are several packages that can
> handle the traffic at this stage... these packages have different ways of
> telling the firewall to block the traffic... they may issue instructions to
> iptables on a linux system or they may issue commands to some other software
> which would then initiate the block or drop...
>
> > I am sure a flowchart would be very useful to find out what code handles
> > what?
>
> i'm going to assume that this is a further clarification of the first query
> and
> that you are wanting to see how the traffic flows into and through snort's
> modules...



------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!