[Snort-users] Rule based vs. Signature based detection engine

Tom Fulton tfulton9909 at ...5068...
Tue Jul 20 19:51:06 EDT 2004


The Snort 2.0 book by Jay Beale, et. al., (p. 142) explains that Snort is
rules-based, "which collects and correlates packets based on rules" and that
this is better than a signature engine which is nothing more than a
"definition of an attack".  Can anyone expand on this clarification?  I'm
under the impression that a rule in a *.rules file is basically a
"signature".  Do you think Jay is referring to the ability to have
pre-processor plug-ins that can normalize data before running against the
signatures (sorry, I mean rules)?  Aren't they basically the same thing when
it comes right down to it?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040720/26812353/attachment.html>


More information about the Snort-users mailing list