Re: info about snort architecture

[Bennett Todd <bet () rahul net>]

On Wed, Mar 26, 2003 at 12:52:16PM +0100, Andrea Iacopini wrote:
> very simple question: what kind of analysis snort use ?

Would that it were simple.

> I refer to signature analysis and protocol analysis.

Snort definitely does signature analysis; it has a database of signatures (in
the rules files) that match various attacks, or in some cases vulnerabilities,
and set off alerts.

"Protocol analysis" is harder to answer, since that's a vague marketing term.

Snort has many preprocessors, many of which analyze packets with knowlege of
various protocols, reporting various sorts of problems. Snort can certainly
claim to be doing protocol analysis.

However, since marketers created the phrase "protocol analysis" to try and
differentiate their own products, you'll see different definitions bandied
about by different people; I wouldn't recommend using that phrase to try and
get work done:-).

-Bennett


-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users