[Snort-users] Analysis done by Snort

Ashley Thomas athomas at ...3539...
Wed Sep 26 19:22:03 EDT 2001


I have a doubt regarding how snort does the analysis.
When Snort starts it reads all the rules from the snort.conf file which
we specify using -c option.

Then when ever a new packet arrives, depending on what protocol it is,
different rules are applied to it to
see if there is a match.
ie if the packet belongs to ftp then ftp.rules are applied to it.
if it is a telnet packet, then telnet.rules is applied.

Similarly scan rules would be applied when ever we get 'tcp syn'

Is it how snort does it ? Please correct me if i have understood it
Also please point out if there is any place where i can read on how
snort does the analysis.

thanks a lot

More information about the Snort-users mailing list