Snort mailing list archives
Snort's detection scheme
From: j2mb0 () riseup net
Date: Fri, 12 May 2017 22:03:40 +0200
Dear Snort Development Members, in the frame of my thesis, i want to contribute to the snort project by hopefully implementing a faster variant of the detection engine, where some experiments are going to be conducted. These experiments will not only evaluate the new approach but also compare it to Snort's detection scheme. Thus, it is neccessary to overcome the problems i am facing in the following. Hereby i want to ask some questions about Snort's detection process before modifiying the source code and/or writing my own detection plugin: (1) In the year 2003, a patch called "Snort-NG" was admitted by Chrsistopher Kruegel which replaces the detection engine by utilizing decision tree based scheme described in (http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.10.9927). The authors deleted the source code of their website and there is no traces of the Snort-NG online. Is there any way to find it? (2) With the release of Snort-2, the detection scheme is not single-match anymore. This is what i have understood according from the content of the document (http://web.cs.ucdavis.edu/~wu/ecs236/sf_snort20_HPMRIE.pdf). Upon packet classification the corresponding port-group is chosen and then, 2. a parallel string matching is applied which might result in different matching rules. After reading the source code in Snort (pcrm.c), where a description of matching the choosing the rule groups is given, i am becoming confused: how does the describe procedure correlates to alert order, described in https://www.snort.org/faq/readme-alert_order. Does snort find all matching rules and triggers an alert only for the first one, where the rest in residing in the event queue or it is stopping after matching the first rule only? There is no official descrption to the exact matching algorithm - i am confused. (3) If i was to replace the detection scheme of Snort while still wanting to take advantage of the RTN and OTN, say for example, by applying a linear search over the RTN, does this step require writing a detection plugin OR ist it about replacing the detection engine of Snort itself? (4) What is the best way to debug and view data-structure related to the classification scheme? I would be thankful for any help. Best Greetings, Alex Matanis ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort's detection scheme j2mb0 (May 12)