Snort mailing list archives
Snort architecture- How Detection Engine works?
From: "Daniel Lopez" <dlopez () tct hut fi>
Date: Mon, 1 Jul 2002 00:38:19 +0300
Hello, I would like to understand how the Detection Engine works. I could read in the Snort Users Manual that currently, four protocols were analyzed for suspicious behavior: TCP, UDP, ICMP and IP. I also read that the detection engine uses a three-dimensional linked list for the rule matching and thus, for each protocol, a separate three-dimensional linked list was created, is it right? When a packet arrives to the detection engine, depending on the protocol, it will be sent to the correct rule tree, then compared against each Rule Tree Node (RTN) from the left to the right of the rule tree. When a match is found, it is compared against each Option Tree Node (OTN), and again, until a match is found. Still right? However, an IP packet can contain a TCP or an UDP packet. Does it mean that if I have IP rules and TCP rules, the packet will be first checked against the RTNs and the OTNs of the Ip rule tree, and then, against the RTNs and OTNs of the TCP rule tree? How does this work? Thanks! :) Daniel Lopez ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort architecture- How Detection Engine works? Daniel Lopez (Jun 30)