[Snort-users] Analysis done by Snort

Ashley Thomas athomas at ...3539...
Wed Sep 26 19:22:03 EDT 2001


Hi,

I have a doubt regarding how snort does the analysis.
When Snort starts it reads all the rules from the snort.conf file which
we specify using -c option.

Then when ever a new packet arrives, depending on what protocol it is,
different rules are applied to it to
see if there is a match.
ie if the packet belongs to ftp then ftp.rules are applied to it.
if it is a telnet packet, then telnet.rules is applied.

Similarly scan rules would be applied when ever we get 'tcp syn'
packets.

Is it how snort does it ? Please correct me if i have understood it
wrong.
Also please point out if there is any place where i can read on how
snort does the analysis.

thanks a lot
Ashley






More information about the Snort-users mailing list