[Snort-devel] Information on DETECTION_OPTION_TREE and OTN vs ds_list

Steven Sturges steve.sturges at ...402...
Fri Mar 6 10:00:37 EST 2009

Hi Daniel--

The DETECTION_OPTION_TREE is controlled via a build-time
configuration (configure --enable or --disable...) that
was added in  Snort 2.8.2 (released in 2008).

It is on by default, and with it on, Snort uses a new, faster
algorithm when evaluating rules.  It is hardened -- no longer
configurable -- in 2.8.4 (RC was posted in Feb 2009).

The option checks for rules are now done via a tree, where
similar rules are evaluated together.

ds_list only really allowed a single option of a given type,
which was followed by the OTN chains.  The new code extends
the OTN chain approach by only evaluating the options once
for rules that have a similar base set of options.

Some of the ds_list related code still exists, but is largely
just for data storage, versus actual rule evaluation.

Hope this helps.


Daniel Peck wrote:
> Hi List,
> Could someone provide me some information or a pointer to some information
> on the current best practice/approach to creating detection plugins.
> Working from the provided template I'm able to understand most of whats
> going on, but looking at some of the included plugins in the current release
> theres a few things that I can't find documentation on.
> One specifically is  the DETECTION_OPTION_TREE define that Im seeing pop up
> a lot, and I cannot find any documentation about what it is.
> Also, looking through an older book I have (the nessus/snort/wireshark one),
> there is instruction on the ds_list method but says that the otn method was
> the preferred way.  Is this still the case, or has this too been phased out
> for something better?
> Thank you for any advice.

More information about the Snort-devel mailing list