[Snort-users] Analysis done by Snort
athomas at ...3539...
Wed Sep 26 19:22:03 EDT 2001
I have a doubt regarding how snort does the analysis.
When Snort starts it reads all the rules from the snort.conf file which
we specify using -c option.
Then when ever a new packet arrives, depending on what protocol it is,
different rules are applied to it to
see if there is a match.
ie if the packet belongs to ftp then ftp.rules are applied to it.
if it is a telnet packet, then telnet.rules is applied.
Similarly scan rules would be applied when ever we get 'tcp syn'
Is it how snort does it ? Please correct me if i have understood it
Also please point out if there is any place where i can read on how
snort does the analysis.
thanks a lot
More information about the Snort-users