Snort mailing list archives
Re: (no subject)
From: "Keith W. McCammon" <keith-list () mccammon org>
Date: Sun, 22 Feb 2004 20:29:34 -0500
Sumit, You'll want to read the white papers on sourcefire.com: http://sourcefire.com/technology/snort.htmlSpecifically, I think the paper on the multi-rule inspection engine is what you're looking for...
sumit vora wrote:
Hi folks... Can anyone tell me...When Snort is "examining" the content of a packet...What happens...does it hold the packet at the gateway, and look for one string, say "chmod" all over the packet, as one rule might supposedly say, then, look for another, and another, and so on...? Meaning, Does it look for all strings of interest in all the 2000 rules that are now posted on the link at the same time, or, does it hold the packet until each string of interest has been looked up, (i.e. Does it examine the packet payload several times for different strings, or, just once, for all strings)... And, if only once, for all strings, how does snort take into account different depths to which the packet must be searched for different strings, and give a result without false positives????????? Please folks...Serious doubt, and gotta get over it.... I'd appreciate any help... Thanks, Sumit. ___________________________________________________________Yahoo! Messenger - Communicate instantly..."Ping" your friends today! Download Messenger Now http://uk.messenger.yahoo.com/download/index.html------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- (no subject) jhally (Jan 26)
- <Possible follow-ups>
- (no subject) tony . williams (Jan 26)
- (no subject) Finney Charles E (Feb 16)
- (no subject) sumit vora (Feb 22)
- Re: (no subject) Keith W. McCammon (Feb 22)
- (no subject) marcio (Feb 23)
- (no subject) Kris (Mar 30)