[Snort-devel] Snort's modules

Russ Combs rcombs at ...402...
Fri Jul 27 10:30:05 EDT 2012


On Fri, Jul 27, 2012 at 3:17 AM, Pratik Narang <pratik.cse.bits at ...2499...>wrote:

> The preproc_rules directory contains decoder.rules, preprocessor.rules
> and sensitive-data.rules. Surely there must be more to Snort's anomaly
> detection than these 4 files :) (dependencies, et al.) Where do I
> start looking?
>
> Start looking there and at the normalizer (see the README/manual).

If you think something should be added, please let us know.


> Thanks
>
>
> On Wed, Jul 25, 2012 at 8:19 PM, Russ Combs <rcombs at ...402...> wrote:
> > Snort signatures include decoder and preprocessor alerts which are
> primarily
> > how anomalous traffic is detected.  Check the preproc_rules/ directory in
> > the tarball.
> >
> > On Wed, Jul 25, 2012 at 8:58 AM, Pratik Narang <
> pratik.cse.bits at ...2499...>
> > wrote:
> >>
> >> Hi all,
> >>
> >> I have been playing around with Snort for a while now. I am beginning to
> >> wonder that apart from its Signatures being its biggest strength, what
> else
> >> are the things on which Snort relies upon? Prima facie, the preprocessor
> >> modules don't involve signatures- am I right here? Does Snort have an
> >> Anomaly engine?? If not, i would be interested in knowing how all the
> >> network stuff which cannot be detected via signatures (or you may say
> that I
> >> do not wish to use signatures) can be detected with Snort?
> >>
> >> Thanks...
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Live Security Virtual Conference
> >> Exclusive live event will cover all the ways today's security and
> >> threat landscape has changed and how IT managers can respond.
> Discussions
> >> will include endpoint security, mobile security and the latest in
> malware
> >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> >> _______________________________________________
> >> Snort-devel mailing list
> >> Snort-devel at lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/snort-devel
> >>
> >> Please visit http://blog.snort.org for the latest news about Snort!
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20120727/5063a0a3/attachment.html>


More information about the Snort-devel mailing list