[Snort-users] Analysis done by Snort

John Berkers berjo at ...827...
Thu Sep 27 06:15:02 EDT 2001

When snort starts it reads the rules in from the specified conf file.  If
include statements appear, then it reads the contents of these files as
well.  As each rule is read it is added into a rule tree (I'm not sure how
Marty put it together, but it's pretty nifty how it works).  If you are
running snort in non-daemon mode it will echo to standard out how many rules
it has read, and how many rule headers it created.  The order in which the
rules appear in the files is important in some cases.  If you have two
similar rules you would need to put the more specific one first.

Once snort has finished reading the rules files successfully it no longer
cares which file the rule came from, this is only ever used when snort
reports a problem with a rule.  The rule files are only named the way they
are for a logical method of grouping them together, making it easier for
analysts to find a particular rule.  You could (if you wanted to) put a
telnet rule in ftp.rules, or vice versa.  It won't make a difference to
snort where the rule came from.

When snort receives a packet to process it goes about matching it to one of
the rules in the rule chains.  It does this by comparing protocol (TCP, UDP,
ICMP) and then Source IP, Source Port, Dest IP, Dest Port, and whatever
other options (Content, Flags, DSize, CSum, etc.) are specified for any of
the rules.  The first match is what an alert is generated for, if there are
any other matches, you will not see them, it is up to you to further analyse
the packet & payload and act upon it.

Hope that clarifies things for you (and hope I got none of it too wrong).


John Berkers                                       ICQ: 112912
Network Services                            Hansen Corporation
john.berkers at ...3164...               berjo at ...827...

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Ashley
Sent: Thursday, 27 September 2001 12:11
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Analysis done by Snort


I have a doubt regarding how snort does the analysis.
When Snort starts it reads all the rules from the snort.conf file which
we specify using -c option.

Then when ever a new packet arrives, depending on what protocol it is,
different rules are applied to it to
see if there is a match.
ie if the packet belongs to ftp then ftp.rules are applied to it.
if it is a telnet packet, then telnet.rules is applied.

Similarly scan rules would be applied when ever we get 'tcp syn'

Is it how snort does it ? Please correct me if i have understood it
Also please point out if there is any place where i can read on how
snort does the analysis.

thanks a lot

Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list