[Snort-devel] Snort's modules

Joel Esler jesler at ...402...
Wed Jul 25 10:41:32 EDT 2012

On Jul 25, 2012, at 8:58 AM, Pratik Narang <pratik.cse.bits at ...2499...> wrote:

> I have been playing around with Snort for a while now. I am beginning to wonder that apart from its Signatures being its biggest strength, what else are the things on which Snort relies upon? Prima facie, the preprocessor modules don't involve signatures- am I right here? Does Snort have an Anomaly engine?? If not, i would be interested in knowing how all the network stuff which cannot be detected via signatures (or you may say that I do not wish to use signatures) can be detected with Snort?

Snort can detect many things without looking into its rules engine. Obviously, as you said the ruleset being one of the most effective pieces of Snort. 

The preprocessors can be considered anomaly detection most definitely. If you look at the alerts that it generates. 

More information about the Snort-devel mailing list