Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Theoretical questions about snort

From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 23 Dec 2004 11:53:09 -0500
At 11:34 AM 12/23/2004, mosquitooth () gmx net wrote:

I'm quite new to snort but nevertheless very enthusiastic about it. What
strikes me most is the enormous speed of snort (able to scan a 150MBit line
with nearly no packet loss)!
I'd even like to contribute to snort (in programming some code), but for a
snort- newbie starting is difficult. The source code contains only a few
information about what's going on - so, is there a white paper (or a book)
out there, that covers especially the internal programming and behaviour of
snort?
What I think is especially odd, is the enormous speed. When I imagine my
code walking down a linked list of e.g. 2500 rules for EACH PACKET - this
would end really s l o w . . .
So, how is it done? How is Snort able to check for so many rules per packet
in such a small time? Is there any trick behind it?
It's not done As a single linked list where every rule must be evaluated for every.. that would be horribly inefficient.. Think of it in terms of a decision tree and you get closer to how it works.
I'm not sure about recent versions, but in general snort started off being architected as a linked list of linked lists. You started at a linked list of nodes, each of which specifies various IP and port limitations, and each pointing to a linked list of content rules. So you take your packet and traverse along the first list. When you find a IP/port node that matches, you traverse the list of content rules it points to, and execute those. Then you go back to the main list, looking for other IP/port nodes you need to run up. Remember, you can have ranges, and/or "any" as a port/IP specifier, so you may have to traverse many of these. the "ip any any -> any any" rules obviously get executed for every packet, but it makes no sense to bother with checking any of the port 80 rules for a packet bound to port 53.
More recent generations may have changed it to be multiple layers of lists to optimize further, but you get the general idea. They've also been improving the content matching algorithms over the years... 

Normaly you'd go here
http://www.snort.org/docs/
and Look at "Development Papers". Unfortunately that points to a dead-end part of sourcefire's website.. 

Try here instead:
http://www.sourcefire.com/products/library.html

They ask for contact info to download the whitepapers...



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: