[Snort-users] Snort architecture- How Detection Engine works?

Yasir Abbas syabbast at ...131...
Sun Jun 30 23:07:06 EDT 2002

Umm! And I thought that all Snort rules are checked
for a packet, without any depth, ie, something like:
"IF this rule is true, then check for this rule, else
not" does not take place, instead all rules are
checked with AND within the rule itself, and OR
between different rules; except activate of course,
but that too activates other rules not for the same
packet, but for the fortcoming packets. So I was

- yasir

--- Daniel Lopez <dlopez at ...6134...> wrote:
> Hello,
> I would like to understand how the Detection Engine
> works.
> I could read in the Snort Users Manual that
> currently, four protocols
> were analyzed for suspicious behavior: TCP, UDP,
> ICMP and IP. I also
> read that the detection engine uses a
> three-dimensional linked list for
> the rule matching and thus, for each protocol, a
> separate
> three-dimensional linked list was created, is it
> right?
> When a packet arrives to the detection engine,
> depending on the
> protocol, it will be sent to the correct rule tree,
> then compared
> against each Rule Tree Node (RTN) from the left to
> the right of the rule
> tree. When a match is found, it is compared against
> each Option Tree
> Node (OTN), and again, until a match is found. Still
> right?
> However, an IP packet can contain a TCP or an UDP
> packet. Does it mean
> that if I have IP rules and TCP rules, the packet
> will be first checked
> against the RTNs and the OTNs of the Ip rule tree,
> and then, against the
> RTNs and OTNs of the TCP rule tree?
> How does this work?
> Thanks! :)
> Daniel Lopez
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
> Snort-users list archive:

Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup

More information about the Snort-users mailing list