[Snort-devel] Snort's detection scheme

j2mb0 at ...3692... j2mb0 at ...3692...
Fri May 12 16:03:40 EDT 2017


Dear Snort Development Members,

in the frame of my thesis, i want to contribute to the snort project by 
hopefully implementing a faster variant of the detection engine, where 
some experiments are going to be conducted. These experiments will not 
only evaluate the new approach but also compare it to Snort's detection 
scheme. Thus, it is neccessary to overcome the problems i am facing in 
the following. Hereby i want to ask some questions about Snort's 
detection process before modifiying the source code and/or writing my 
own detection plugin:

(1) In the year 2003, a patch called "Snort-NG" was admitted by 
Chrsistopher Kruegel which replaces the detection engine by utilizing 
decision tree based scheme described in 
(http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.10.9927). The 
authors deleted the source code of their website and there is no traces 
of the Snort-NG online. Is there any way to find it?

(2) With the release of Snort-2, the detection scheme is not 
single-match anymore. This is what i have understood according from the 
content of the document 
(http://web.cs.ucdavis.edu/~wu/ecs236/sf_snort20_HPMRIE.pdf). Upon 
packet classification the corresponding port-group is chosen and then, 
2. a parallel string matching is applied which might result in different 
matching rules. After reading the source code in Snort (pcrm.c), where a 
description of matching the choosing the rule groups is given, i am 
becoming confused: how does the describe procedure correlates to alert 
order, described in https://www.snort.org/faq/readme-alert_order. Does 
snort find all matching rules and triggers an alert only for the first 
one, where the rest in residing in the event queue or it is stopping 
after matching the first rule only? There is no official descrption to 
the exact matching algorithm - i am confused.

(3) If i was to replace the detection scheme of Snort while still 
wanting to take advantage of the RTN and OTN, say for example, by 
applying a linear search over the RTN, does this step require writing a 
detection plugin OR ist it about replacing the detection engine of Snort 
itself?

(4) What is the best way to debug and view data-structure related to the 
classification scheme?

I would be thankful for any help.

Best Greetings,
Alex Matanis




More information about the Snort-devel mailing list