[Snort-users] (no subject)

Keith W. McCammon keith-list at ...6015...
Sun Feb 22 17:37:03 EST 2004


Sumit,

You'll want to read the white papers on sourcefire.com:

http://sourcefire.com/technology/snort.html

Specifically, I think the paper on the multi-rule inspection engine is 
what you're looking for...

sumit vora wrote:
> Hi folks...
> 
> Can anyone tell me...When Snort is "examining" the
> content of a packet...What happens...does it hold the
> packet at the gateway, and look for one string, say
> "chmod" all over the packet, as one rule might
> supposedly say, then, look for another, and another,
> and so on...?
> 
> Meaning, Does it look for all strings of interest in
> all the 2000 rules that are now posted on the link at
> the same time, or, does it hold the packet until each
> string of interest has been looked up, (i.e. Does it
> examine the packet payload several times for different
> strings, or, just once, for all strings)...
> 
> And, if only once, for all strings, how does snort
> take into account different depths to which the packet
> must be searched for different strings, and give a
> result without false positives?????????
> 
> 
> 
> Please folks...Serious doubt, and gotta get over
> it....
> 
> I'd appreciate any help...
> 
> Thanks,
> 
> Sumit.
> 
> 
> 	
> 	
> 		
> ___________________________________________________________
> Yahoo! Messenger - Communicate instantly..."Ping" 
> your friends today! Download Messenger Now 
> http://uk.messenger.yahoo.com/download/index.html
> 
> 
> -------------------------------------------------------
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list