[Snort-users] Documentation regarding snort internals.

Fyodor fygrave at ...121...
Thu Feb 28 14:09:11 EST 2002


Chris Keladis <Chris.Keladis at ...2783...> spoke:
> Ashley Thomas wrote:
> 
> 
> Hi Ashley,
> 
> > Is there any documentation regarding Snort internals, ie how the packet
> > processing is done, how is the rule set implemented etc ?
> > 
> > I could'nt find any in the documentation section in snort.org.
> > 
> > any pointers is welcome.
> 
> Probably comments in the code will be your best bet.
> 
> The Snort FAQ explains the use of RuleTreeNodes (RTN) and OptTreeNodes
> (OTN),  the 2d linked-list structure used in Snort to "IDS" packets.
> 
> The rest would probably be libpcap magic which the pcap man page would
> describe in relative detail.

The badly outdated 2 years old piece is available at
http://snortnet.scorpions.net. If anyone is interesting to take over the
ownership of the document, I'd help with answering any technical queries
and passing all the .tex/source data to the person. Just never had a
chance to update the document since my grad. :-)





More information about the Snort-users mailing list