[Snort-users] Snort architecture- How Detection Engine works?

Daniel Lopez dlopez at ...6134...
Sun Jun 30 14:39:02 EDT 2002


I would like to understand how the Detection Engine works.

I could read in the Snort Users Manual that currently, four protocols
were analyzed for suspicious behavior: TCP, UDP, ICMP and IP. I also
read that the detection engine uses a three-dimensional linked list for
the rule matching and thus, for each protocol, a separate
three-dimensional linked list was created, is it right?

When a packet arrives to the detection engine, depending on the
protocol, it will be sent to the correct rule tree, then compared
against each Rule Tree Node (RTN) from the left to the right of the rule
tree. When a match is found, it is compared against each Option Tree
Node (OTN), and again, until a match is found. Still right?

However, an IP packet can contain a TCP or an UDP packet. Does it mean
that if I have IP rules and TCP rules, the packet will be first checked
against the RTNs and the OTNs of the Ip rule tree, and then, against the
RTNs and OTNs of the TCP rule tree?

How does this work?
Thanks! :)

Daniel Lopez

More information about the Snort-users mailing list