Snort mailing list archives
Re: Snort architecture- How Detection Engine works?
From: Yasir Abbas <syabbast () yahoo com>
Date: Sun, 30 Jun 2002 23:06:40 -0700 (PDT)
Umm! And I thought that all Snort rules are checked for a packet, without any depth, ie, something like: "IF this rule is true, then check for this rule, else not" does not take place, instead all rules are checked with AND within the rule itself, and OR between different rules; except activate of course, but that too activates other rules not for the same packet, but for the fortcoming packets. So I was wrong?? - yasir --- Daniel Lopez <dlopez () tct hut fi> wrote:
Hello, I would like to understand how the Detection Engine works. I could read in the Snort Users Manual that currently, four protocols were analyzed for suspicious behavior: TCP, UDP, ICMP and IP. I also read that the detection engine uses a three-dimensional linked list for the rule matching and thus, for each protocol, a separate three-dimensional linked list was created, is it right? When a packet arrives to the detection engine, depending on the protocol, it will be sent to the correct rule tree, then compared against each Rule Tree Node (RTN) from the left to the right of the rule tree. When a match is found, it is compared against each Option Tree Node (OTN), and again, until a match is found. Still right? However, an IP packet can contain a TCP or an UDP packet. Does it mean that if I have IP rules and TCP rules, the packet will be first checked against the RTNs and the OTNs of the Ip rule tree, and then, against the RTNs and OTNs of the TCP rule tree? How does this work? Thanks! :) Daniel Lopez
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort architecture- How Detection Engine works? Yasir Abbas (Jun 30)