[Snort-sigs] logical operators and snort rules

Brian bmc at ...95...
Mon Jun 23 12:25:08 EDT 2003


On Thu, Jun 19, 2003 at 03:40:16PM -0700, Terence Runge wrote:
> I am trying to understand snort and logical operators within snort
> rules.Specifically, how does snort read and, or, and xor?

The detection options are handled in sequence.  There are not any
logical operators.

in pre 2.0, it was rather easy to figure out what snort did.  it was
all a matter of walking a linked list of plugins.   

This is a bastardization of the pre 2.0 detection engine:

   foreach my $rule (keys %rules) {
       my $alert = 0;
       foreach my $detection (keys %{$rules->{$rule}}) {
          my $function = $detection->{'function'};
          my $value = $detection->{'value'};
          if (!&$function($value)) {
              $alert = 1;
              last;
          }
       }

       if ($alert) {
           alert();
       }
   }

In 2.0, the detection engine was changed to check the longest pattern
in each rule up front and go from there.

-brian




More information about the Snort-sigs mailing list