[Snort-devel] Added features for Snort decoder?

Soumyadipta Das soumyadipta_das at ...398...
Fri May 8 13:09:23 EDT 2009


Hi Everyone,

Following are two school of thoughts regarding the packet decoding:

1) The snort decoder engine(decode.c) decodes a packet and puts the different layer headers in different structures starting from the data link layer until layer 4(OSI-model). Contents of the upper layers are not directly segregated in structures and are left for preprocessors and rules to take care of. Benefit of this approach is the flexibility while writing rules to match for any particular pattern above layer 4. However, on the other hand it also opens up the possibility of a mistake in writing a rule. 

2) A lot of commercial IPS/IDS tries to decode different application layer protocols. This approach provides more easy accessible granularity while writing a rule particularly for given protocol. For instance, a rule for a given function on a MSRPC named pipe distinguished by its UUID would be easier to write.

Please share your views on which would be a preferred approach.

Regards,
Soum



      From Chandigarh to Chennai - find friends all over India. Go to http://in.promos.yahoo.com/groups/citygroups/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20090508/a93ca955/attachment.html>


More information about the Snort-devel mailing list