[Snort-users] Re: Documentation.

Shaiful shaifuljahari at ...131...
Thu Sep 6 18:14:02 EDT 2001


If you meant the documentation of internal working of
Snort then the casual response is please read the
source code ;-)

However, if you want the easy way is to find the
available documentation.  Since most of the
documentation is 'how to use snort as user' rather
than 'how to understand Snort' you probably think that
you could not find what you're looking for...

So, here I'd suggest anyone who want to know the
internal but rather afraid or lazy to read the source
code, there are actually short cut ways as I'll tell
in a moment...

First and foremost, there is paper and presentation
given by Marty at LISA.  Pls read it, although a bit
outdated you will understand the philosophy and the
basics of Snort. Thanks Marty for pioneering the whole

Secondly there is a documentation with a very good
Table of Content by Andrew Baker;-)  Unfortunately it
is unfinish since 2000, however it is still a good
start.  Thanks Andrew. Simple search on 'snort
documention' using Google will get you there...

Thirdly, IMHO, the finest of them all to understand
the internal working of snort, is Snortnet thesis by
Fyodor. Thanks for the great explanation.  When was
the last time you see Snort flowchart? Yeah, you'll
see that plus flow chart of pcap_loop, and details
explanation on how to write your very own plugin with
snortnet plugin as a case study. Go and get it now at

Last but not least is the latest Snort 1.8.1 manual.
Very good and five stars. Marty, may be you should
take a holidays and write a book...

Oh yeah, nearly forgot about Yen-Ming Chen excellent
survey of Snort log analysis at unixreview. Talking
about log, don't forget to read Jed's and Roman's
excellent thesis at www.incident.org. They wrote
several output plugins for Snort.  Thanks guys...

More lists are popping in my head such as
SiliconDefense paper regarding 'Faster String Matching
Exceeding the Speed of Snort' but I've to stop before
my boss come to the office..


--- Vahid Shamai <vahid.shamai at ...3341...> wrote:
> Hello every one!
> I am a novice in this area.
> I wondered if there is some documentation about the
> "SNORT" as a system
> and it's different parts/entities.
> regards,
> Vahid Shamai

