Snort mailing list archives
Rule based vs. Signature based detection engine
From: "Tom Fulton" <tfulton9909 () comcast net>
Date: Tue, 20 Jul 2004 19:50:52 -0700
The Snort 2.0 book by Jay Beale, et. al., (p. 142) explains that Snort is rules-based, "which collects and correlates packets based on rules" and that this is better than a signature engine which is nothing more than a "definition of an attack". Can anyone expand on this clarification? I'm under the impression that a rule in a *.rules file is basically a "signature". Do you think Jay is referring to the ability to have pre-processor plug-ins that can normalize data before running against the signatures (sorry, I mean rules)? Aren't they basically the same thing when it comes right down to it?
Current thread:
- Rule based vs. Signature based detection engine Tom Fulton (Jul 20)
- Re: Rule based vs. Signature based detection engine Matt Kettler (Jul 20)
- RE: Rule based vs. Signature based detection engine Tom Fulton (Jul 20)
- Re: Rule based vs. Signature based detection engine Keith W. McCammon (Jul 21)
- Re: Rule based vs. Signature based detection engine Keith W. McCammon (Jul 21)
- RE: Rule based vs. Signature based detection engine Tom Fulton (Jul 20)
- Re: Rule based vs. Signature based detection engine Matt Kettler (Jul 20)