[Snort-users] how to start to read the snort source code
mkettler at ...4108...
Tue Feb 3 16:39:24 EST 2004
At 07:12 PM 2/3/2004, Tao Peng wrote:
>I am a rookie to snort. I intend to understand the snort
>source code. Can anyone tell me what shall I start with.
>For example, how to understand the structure of snort. what
>function of each source code provides? any documents or other
>information is highly appreciated!
DISCLAIMER: I'm not a snort devel, so I'm largely talking from a limited
understanding of this stuff. I'm also looking at a 2.0.5 source tree at the
moment (it's what I have laying around on my windows box)
Most of the "top level" stuff should be obvious if you're fairly familiar
with C programming and normal snort usage/configuration.
However you'll probably need to get a good understanding of how the guts of
snort really work in an abstract way before looking at the code.
I'd suggest reading some of sourcefire's whitepapers on the snort guts for
Although dated, the original snort paper that Marty put out is good:
As for the source itself, most of the files are pretty clearly named and/or
commented, at least well enough to get started.
ie: looking at the comments on the top of mpse.c, it states it's " An
abstracted interface to the Multi-Pattern Matching routines", so probably
stands for "Multi Pattern Search Engine". The rest of the file is not
commented very much (in 2.0.5), but it's basic functionality is apparent.
In general, most of the basic "core" snort functionality is implemented by
the files right in the src directory.
src/parser contains some tools for parsing rule files
src/preprocessors contains packet preprocessors like http_decode, stream4, etc
src/detection-plugins contains code that does the grunt work of seeing if a
packet matches certain parts of the rule trees. This is where dsize checks,
etc are done.
src/output-plugins contains logging and other output modules
src/win32 contains win32 specific add-ons to the code.
More information about the Snort-users