[Snort-devel] Snort's detection scheme
j2mb0 at ...3692...
j2mb0 at ...3692...
Fri May 12 16:03:40 EDT 2017
Dear Snort Development Members,
in the frame of my thesis, i want to contribute to the snort project by
hopefully implementing a faster variant of the detection engine, where
some experiments are going to be conducted. These experiments will not
only evaluate the new approach but also compare it to Snort's detection
scheme. Thus, it is neccessary to overcome the problems i am facing in
the following. Hereby i want to ask some questions about Snort's
detection process before modifiying the source code and/or writing my
own detection plugin:
(1) In the year 2003, a patch called "Snort-NG" was admitted by
Chrsistopher Kruegel which replaces the detection engine by utilizing
decision tree based scheme described in
authors deleted the source code of their website and there is no traces
of the Snort-NG online. Is there any way to find it?
(2) With the release of Snort-2, the detection scheme is not
single-match anymore. This is what i have understood according from the
content of the document
packet classification the corresponding port-group is chosen and then,
2. a parallel string matching is applied which might result in different
matching rules. After reading the source code in Snort (pcrm.c), where a
description of matching the choosing the rule groups is given, i am
becoming confused: how does the describe procedure correlates to alert
order, described in https://www.snort.org/faq/readme-alert_order. Does
snort find all matching rules and triggers an alert only for the first
one, where the rest in residing in the event queue or it is stopping
after matching the first rule only? There is no official descrption to
the exact matching algorithm - i am confused.
(3) If i was to replace the detection scheme of Snort while still
wanting to take advantage of the RTN and OTN, say for example, by
applying a linear search over the RTN, does this step require writing a
detection plugin OR ist it about replacing the detection engine of Snort
(4) What is the best way to debug and view data-structure related to the
I would be thankful for any help.
More information about the Snort-devel