Re: Theoretical questions about snort

[Wes Young <wcyoung () buffalo edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

What's the fastest line anyone has used w/snort... I'm attempting
600meg.... (with an Endace card of course)...

Matt Kettler wrote:
| At 11:34 AM 12/23/2004, mosquitooth () gmx net wrote:
|
|> I'm quite new to snort but nevertheless very enthusiastic about it. What
|> strikes me most is the enormous speed of snort (able to scan a 150MBit
|> line
|> with nearly no packet loss)!
|> I'd even like to contribute to snort (in programming some code), but
|> for a
|> snort- newbie starting is difficult. The source code contains only a few
|> information about what's going on - so, is there a white paper (or a
|> book)
|> out there, that covers especially the internal programming and
|> behaviour of
|> snort?
|> What I think is especially odd, is the enormous speed. When I imagine my
|> code walking down a linked list of e.g. 2500 rules for EACH PACKET - this
|> would end really s l o w . . .
|> So, how is it done? How is Snort able to check for so many rules per
|> packet
|> in such a small time? Is there any trick behind it?
|
|
| It's not done As a single linked list where every rule must be evaluated
| for every.. that would be horribly inefficient.. Think of it in terms of
| a decision tree and you get closer to how it works.
|
| I'm not sure about recent versions, but in general snort started off
| being architected as a linked list of linked lists. You started at a
| linked list of nodes, each of which specifies various IP and port
| limitations, and each pointing to a linked list of content rules. So you
| take your packet and traverse along the first list. When you find a
| IP/port node that matches, you traverse the list of content rules it
| points to, and execute those. Then you go back to the main list, looking
| for other IP/port nodes you need to run up. Remember, you can have
| ranges, and/or "any" as a port/IP specifier, so you may have to traverse
| many of these. the "ip any any -> any any" rules obviously get executed
| for every packet, but it makes no sense to bother with checking any of
| the port 80 rules for a packet bound to port 53.
|
| More recent generations may have changed it to be multiple layers of
| lists to optimize further, but you get the general idea. They've also
| been improving the content matching algorithms over the years...
|
| Normaly you'd go here
| http://www.snort.org/docs/
|
| and Look at "Development Papers". Unfortunately that points to a
| dead-end part of sourcefire's website..
|
| Try here instead:
| http://www.sourcefire.com/products/library.html
|
| They ask for contact info to download the whitepapers...
|
|
|
| -------------------------------------------------------
| SF email is sponsored by - The IT Product Guide
| Read honest & candid reviews on hundreds of IT Products from real users.
| Discover which products truly live up to the hype. Start reading now.
| http://productguide.itmanagersjournal.com/
| _______________________________________________
| Snort-users mailing list
| Snort-users () lists sourceforge net
| Go to this URL to change user options or unsubscribe:
| https://lists.sourceforge.net/lists/listinfo/snort-users
| Snort-users list archive:
| http://www.geocrawler.com/redir-sf.php3?list=snort-users
|
|

- --
Wes Young
Network Security Analyst
University at Buffalo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)

iD8DBQFByv5GzLe0Tk6uDXYRAhPRAJ0fC/Djnwdd0X8JH98+RdGHLmWC3ACdEL7L
wEoYwWmUN1KWAspv7HF/gA8=
=nchV
-----END PGP SIGNATURE-----



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users