[Snort-devel] Snort Pattern-Matching Steps

mcenroe at ...2397... mcenroe at ...2397...
Tue Feb 24 21:25:02 EST 2004


 I have read one 'Snort Internals' pdf file.In that they have written 'Snort will check for the rule header and then it will check for the rule option'

Why we cannot do it in the other way like

1) construct the TCP stream(part of or full stream).
2) Check for content or uricontent using detection engine.
3) If content is there check rule header.

To my knowledge in n/w security field..I cannot able to find a single statement for not selecting the above steps.


The greatest pleasure in life is doing what people say you cannot do.

Successful People Do Daily What Unsuccessful People Do Occasionally.

Office Phone no : 080 - 23600653/54/59 .Ext : 421
Alternative Email id : itmcen at ...398...

More information about the Snort-devel mailing list