Snort mailing list archives
Re: Theoretical questions about snort
From: Wes Young <wcyoung () buffalo edu>
Date: Thu, 23 Dec 2004 12:20:06 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 What's the fastest line anyone has used w/snort... I'm attempting 600meg.... (with an Endace card of course)... Matt Kettler wrote: | At 11:34 AM 12/23/2004, mosquitooth () gmx net wrote: | |> I'm quite new to snort but nevertheless very enthusiastic about it. What |> strikes me most is the enormous speed of snort (able to scan a 150MBit |> line |> with nearly no packet loss)! |> I'd even like to contribute to snort (in programming some code), but |> for a |> snort- newbie starting is difficult. The source code contains only a few |> information about what's going on - so, is there a white paper (or a |> book) |> out there, that covers especially the internal programming and |> behaviour of |> snort? |> What I think is especially odd, is the enormous speed. When I imagine my |> code walking down a linked list of e.g. 2500 rules for EACH PACKET - this |> would end really s l o w . . . |> So, how is it done? How is Snort able to check for so many rules per |> packet |> in such a small time? Is there any trick behind it? | | | It's not done As a single linked list where every rule must be evaluated | for every.. that would be horribly inefficient.. Think of it in terms of | a decision tree and you get closer to how it works. | | I'm not sure about recent versions, but in general snort started off | being architected as a linked list of linked lists. You started at a | linked list of nodes, each of which specifies various IP and port | limitations, and each pointing to a linked list of content rules. So you | take your packet and traverse along the first list. When you find a | IP/port node that matches, you traverse the list of content rules it | points to, and execute those. Then you go back to the main list, looking | for other IP/port nodes you need to run up. Remember, you can have | ranges, and/or "any" as a port/IP specifier, so you may have to traverse | many of these. the "ip any any -> any any" rules obviously get executed | for every packet, but it makes no sense to bother with checking any of | the port 80 rules for a packet bound to port 53. | | More recent generations may have changed it to be multiple layers of | lists to optimize further, but you get the general idea. They've also | been improving the content matching algorithms over the years... | | Normaly you'd go here | http://www.snort.org/docs/ | | and Look at "Development Papers". Unfortunately that points to a | dead-end part of sourcefire's website.. | | Try here instead: | http://www.sourcefire.com/products/library.html | | They ask for contact info to download the whitepapers... | | | | ------------------------------------------------------- | SF email is sponsored by - The IT Product Guide | Read honest & candid reviews on hundreds of IT Products from real users. | Discover which products truly live up to the hype. Start reading now. | http://productguide.itmanagersjournal.com/ | _______________________________________________ | Snort-users mailing list | Snort-users () lists sourceforge net | Go to this URL to change user options or unsubscribe: | https://lists.sourceforge.net/lists/listinfo/snort-users | Snort-users list archive: | http://www.geocrawler.com/redir-sf.php3?list=snort-users | | - -- Wes Young Network Security Analyst University at Buffalo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) iD8DBQFByv5GzLe0Tk6uDXYRAhPRAJ0fC/Djnwdd0X8JH98+RdGHLmWC3ACdEL7L wEoYwWmUN1KWAspv7HF/gA8= =nchV -----END PGP SIGNATURE----- ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users.Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Theoretical questions about snort mosquitooth (Dec 23)
- Re: Theoretical questions about snort sekure (Dec 23)
- Re: Theoretical questions about snort Matt Kettler (Dec 23)
- Re: Theoretical questions about snort Wes Young (Dec 23)