[Snort-devel] rules.c/h

ndesai01 at ...1037... ndesai01 at ...1037...
Fri Jan 4 11:03:18 EST 2002

If I am reading the rules.c file correctly once the rules have been parsed 
they are sent to either the IP chain, TCP chain, UDP chain or ICMP chain.

	while(rule != NULL)
       	 IntegrityCheck(rule->RuleList->IpList, rule->name, "IP Chains");
       	 IntegrityCheck(rule->RuleList->TcpList, rule->name, "TCP Chains");
       	 IntegrityCheck(rule->RuleList->UdpList, rule->name, "UDP Chains");
       	 IntegrityCheck(rule->RuleList->IcmpList, rule->name, "ICMP Chains");
        	rule = rule->next;

According to rules.h there is a serperate chain for each of the above.

	typedef struct _ListHead
    	RuleTreeNode *IpList;
    	RuleTreeNode *TcpList;
    	RuleTreeNode *UdpList;
    	RuleTreeNode *IcmpList;
    	struct _OutputFuncNode *LogList;
    	struct _OutputFuncNode *AlertList;
	} ListHead; 

What is confusing me is some older documentation on snort from snortnet.
The document stated that 
	1. There are five different chains of rules, one 
	   for each alert type.
	2. There are three different linked lists per chain
	   rule. One linked list per IP protocol.

Am I missing something or just make things harder than they need to be?


More information about the Snort-devel mailing list