[Snort-devel] rules.c/h

Chris Green cmg at ...81...
Fri Jan 4 17:15:05 EST 2002


ndesai01 at ...1037... writes:

> If I am reading the rules.c file correctly once the rules have been parsed 
> they are sent to either the IP chain, TCP chain, UDP chain or ICMP chain.
>
> Am I missing something or just make things harder than they need to
> be?

The best explanation of it is in the FAQ

http://www.snort.org/docs/faq.html#3.13

It is confusing to to get used to because of the multiple types of
Rule heads.

The only thing I don't quite understand is how IP and ICMP rules
organize themselves. Do they all get thrown into a single chain
because they have no ports to group by?

DumpChain() gives a good example of transversing it

Hope it helps, in doing my own evil functions at the moment, I've had
to look at it a lot
-- 
Chris Green <cmg at ...81...>
A good pun is its own reword.




More information about the Snort-devel mailing list