[Snort-devel] Theoretical questions about snort

mosquitooth at ...224... mosquitooth at ...224...
Thu Dec 23 08:35:07 EST 2004


Dear Snort- Developers,

I'm quite new to snort but nevertheless very enthusiastic about it. What
strikes me most is the enormous speed of snort (able to scan a 150MBit line
with nearly no packet loss)!
I'd even like to contribute to snort (in programming some code), but for a
snort- newbie starting is difficult. The source code contains only a few
information about what's going on - so, is there a white paper (or a book)
out there, that covers especially the internal programming and behaviour of
snort?
What I think is especially odd, is the enormous speed. When I imagine my
code walking down a linked list of e.g. 2500 rules for EACH PACKET - this
would end really s l o w . . .
So, how is it done? How is Snort able to check for so many rules per packet
in such a small time? Is there any trick behind it?

Thanks a lot and merry christmas

Peter

-- 
Psssst! Mit GMX Handyrechnung senken: http://www.gmx.net/de/go/mail
100 FreeSMS/Monat (GMX TopMail), 50 (GMX ProMail), 10 (GMX FreeMail)




More information about the Snort-devel mailing list