[Snort-devel] About Snort Set Based Rule Inspection And Parameterized search!

Marc Norton marc.norton at ...402...
Wed Apr 14 06:44:00 EDT 2004


You do not have to change the code to add rules, unless you are adding
new rule options to the rules language.  The term parameterized search
refers to the process of testing each rule option in order.   
 
-----Original Message-----
From: snort-devel-admin at lists.sourceforge.net
[mailto:snort-devel-admin at lists.sourceforge.net] On Behalf Of rico fear
Sent: Sunday, April 11, 2004 4:16 AM
To: snort-devel at lists.sourceforge.net
Subject: [Snort-devel] About Snort Set Based Rule Inspection And
Parameterized search!
 
Hi 
I know that you are all busy ,
but please if any one could kindly answer my question!
I read white papers from 
 http://www.sourcefire.com/technology/whitepapers.htm
  Snort 2.0 - Detection Revisited
  Snort 2.0 - High Performance Multi-Rule Inspection Engine
  Snort 2.0 - Rule Optimizer
  Snort 2.0 - Protocol Flow Analyzer
 
So that I could understand how Snort match the incoming
 
packet against The Rule Set,
I have only one question, I need to know whether its right
 or wrong.
 
As I understand from the papers that Snort divides rules 
into sets and subsets then start matching according to 
Set Based Rule Inspection combined with Parameterized search,
 
I really need to know exactly what is the parameterized search 
And what will happen if a new rule is added will this require
 updating The code ??
 
Regards,
rico
  _____  

Do you Yahoo!?
Yahoo! Tax Center - File online by <http://taxes.yahoo.com/filing.html>
April 15th
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20040414/296b0456/attachment.html>


More information about the Snort-devel mailing list