Snort mailing list archives
RE: Analysis done by Snort
From: "John Berkers" <berjo () ozemail com au>
Date: Thu, 27 Sep 2001 23:14:08 +1000
When snort starts it reads the rules in from the specified conf file. If include statements appear, then it reads the contents of these files as well. As each rule is read it is added into a rule tree (I'm not sure how Marty put it together, but it's pretty nifty how it works). If you are running snort in non-daemon mode it will echo to standard out how many rules it has read, and how many rule headers it created. The order in which the rules appear in the files is important in some cases. If you have two similar rules you would need to put the more specific one first. Once snort has finished reading the rules files successfully it no longer cares which file the rule came from, this is only ever used when snort reports a problem with a rule. The rule files are only named the way they are for a logical method of grouping them together, making it easier for analysts to find a particular rule. You could (if you wanted to) put a telnet rule in ftp.rules, or vice versa. It won't make a difference to snort where the rule came from. When snort receives a packet to process it goes about matching it to one of the rules in the rule chains. It does this by comparing protocol (TCP, UDP, ICMP) and then Source IP, Source Port, Dest IP, Dest Port, and whatever other options (Content, Flags, DSize, CSum, etc.) are specified for any of the rules. The first match is what an alert is generated for, if there are any other matches, you will not see them, it is up to you to further analyse the packet & payload and act upon it. Hope that clarifies things for you (and hope I got none of it too wrong). regards, John Berkers ICQ: 112912 Network Services Hansen Corporation john.berkers () hancorp com au berjo () ozemail com au -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Ashley Thomas Sent: Thursday, 27 September 2001 12:11 To: snort-users () lists sourceforge net Subject: [Snort-users] Analysis done by Snort Hi, I have a doubt regarding how snort does the analysis. When Snort starts it reads all the rules from the snort.conf file which we specify using -c option. Then when ever a new packet arrives, depending on what protocol it is, different rules are applied to it to see if there is a match. ie if the packet belongs to ftp then ftp.rules are applied to it. if it is a telnet packet, then telnet.rules is applied. Similarly scan rules would be applied when ever we get 'tcp syn' packets. Is it how snort does it ? Please correct me if i have understood it wrong. Also please point out if there is any place where i can read on how snort does the analysis. thanks a lot Ashley _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Analysis done by Snort Ashley Thomas (Sep 26)
- RE: Analysis done by Snort John Berkers (Sep 27)
- Re: Analysis done by Snort Erek Adams (Sep 27)