Snort mailing list archives
Re: Theoretical questions about snort
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 23 Dec 2004 11:53:09 -0500
At 11:34 AM 12/23/2004, mosquitooth () gmx net wrote:
I'm quite new to snort but nevertheless very enthusiastic about it. What strikes me most is the enormous speed of snort (able to scan a 150MBit line with nearly no packet loss)! I'd even like to contribute to snort (in programming some code), but for a snort- newbie starting is difficult. The source code contains only a few information about what's going on - so, is there a white paper (or a book) out there, that covers especially the internal programming and behaviour of snort? What I think is especially odd, is the enormous speed. When I imagine my code walking down a linked list of e.g. 2500 rules for EACH PACKET - this would end really s l o w . . . So, how is it done? How is Snort able to check for so many rules per packet in such a small time? Is there any trick behind it?
It's not done As a single linked list where every rule must be evaluated for every.. that would be horribly inefficient.. Think of it in terms of a decision tree and you get closer to how it works.
I'm not sure about recent versions, but in general snort started off being architected as a linked list of linked lists. You started at a linked list of nodes, each of which specifies various IP and port limitations, and each pointing to a linked list of content rules. So you take your packet and traverse along the first list. When you find a IP/port node that matches, you traverse the list of content rules it points to, and execute those. Then you go back to the main list, looking for other IP/port nodes you need to run up. Remember, you can have ranges, and/or "any" as a port/IP specifier, so you may have to traverse many of these. the "ip any any -> any any" rules obviously get executed for every packet, but it makes no sense to bother with checking any of the port 80 rules for a packet bound to port 53.
More recent generations may have changed it to be multiple layers of lists to optimize further, but you get the general idea. They've also been improving the content matching algorithms over the years...
Normaly you'd go here http://www.snort.org/docs/and Look at "Development Papers". Unfortunately that points to a dead-end part of sourcefire's website..
Try here instead: http://www.sourcefire.com/products/library.html They ask for contact info to download the whitepapers... ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users.Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Theoretical questions about snort mosquitooth (Dec 23)
- Re: Theoretical questions about snort sekure (Dec 23)
- Re: Theoretical questions about snort Matt Kettler (Dec 23)
- Re: Theoretical questions about snort Wes Young (Dec 23)