[Snort-users] (no subject)
Keith W. McCammon
keith-list at ...6015...
Sun Feb 22 17:37:03 EST 2004
You'll want to read the white papers on sourcefire.com:
Specifically, I think the paper on the multi-rule inspection engine is
what you're looking for...
sumit vora wrote:
> Hi folks...
> Can anyone tell me...When Snort is "examining" the
> content of a packet...What happens...does it hold the
> packet at the gateway, and look for one string, say
> "chmod" all over the packet, as one rule might
> supposedly say, then, look for another, and another,
> and so on...?
> Meaning, Does it look for all strings of interest in
> all the 2000 rules that are now posted on the link at
> the same time, or, does it hold the packet until each
> string of interest has been looked up, (i.e. Does it
> examine the packet payload several times for different
> strings, or, just once, for all strings)...
> And, if only once, for all strings, how does snort
> take into account different depths to which the packet
> must be searched for different strings, and give a
> result without false positives?????????
> Please folks...Serious doubt, and gotta get over
> I'd appreciate any help...
> Yahoo! Messenger - Communicate instantly..."Ping"
> your friends today! Download Messenger Now
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users