[Snort-devel] Information on DETECTION_OPTION_TREE and OTN vs ds_list
steve.sturges at ...402...
Fri Mar 6 10:00:37 EST 2009
The DETECTION_OPTION_TREE is controlled via a build-time
configuration (configure --enable or --disable...) that
was added in Snort 2.8.2 (released in 2008).
It is on by default, and with it on, Snort uses a new, faster
algorithm when evaluating rules. It is hardened -- no longer
configurable -- in 2.8.4 (RC was posted in Feb 2009).
The option checks for rules are now done via a tree, where
similar rules are evaluated together.
ds_list only really allowed a single option of a given type,
which was followed by the OTN chains. The new code extends
the OTN chain approach by only evaluating the options once
for rules that have a similar base set of options.
Some of the ds_list related code still exists, but is largely
just for data storage, versus actual rule evaluation.
Hope this helps.
Daniel Peck wrote:
> Hi List,
> Could someone provide me some information or a pointer to some information
> on the current best practice/approach to creating detection plugins.
> Working from the provided template I'm able to understand most of whats
> going on, but looking at some of the included plugins in the current release
> theres a few things that I can't find documentation on.
> One specifically is the DETECTION_OPTION_TREE define that Im seeing pop up
> a lot, and I cannot find any documentation about what it is.
> Also, looking through an older book I have (the nessus/snort/wireshark one),
> there is instruction on the ds_list method but says that the otn method was
> the preferred way. Is this still the case, or has this too been phased out
> for something better?
> Thank you for any advice.
More information about the Snort-devel