[Snort-devel] questions from novice

Королев Илья breeze at ...2690...
Tue Dec 28 08:03:01 EST 2004


Hello everyone

I've study snort 2.2.0 code, and I've got some questions:

1. At initial processing of rules we place them in some PortRuleMap. Why
rules with range of ports are inserted in generic group with rules with
"any" port? After that generic rules applyed to _every_ PORT_GROUP. So
we have to work with many unnecessary rules.

2. At packet processing after we find a necessary PORT_GROUP we check
all rules (OTN info - contents, etc) and only after that we check RTN. I
guess it give us ability to find "non-qualited" rules. Something else?
It seems to me that in many cases we should check RTN at first - it will
speed up snort. Or I've missed smth?

3. In fpcreate.c, function IsRuleNotPure() IMHO can be implemented far
easier. For example:
static int IsPureNotRule( PatternMatchData * pmd )
{
    if( !pmd ) return 0;

    for( ;pmd; pmd=pmd->next )
    {
if( !pmd->exception_flag ) return 0;
    }
    
    return 1;
}

4. In fpcreate.c, in function fpInitDetectionEngine() call of
fpSetDetectionOptions() is, IMHO, useless.


PS And sorry for my ugly English :(





More information about the Snort-devel mailing list