[Snort-users] Rule based vs. Signature based detection engine

Matt Kettler mkettler at ...4108...
Tue Jul 20 22:05:17 EDT 2004


At 10:50 PM 7/20/2004, Tom Fulton wrote:
>The Snort 2.0 book by Jay Beale, et. al., (p. 142) explains that Snort is 
>rules-based, "which collects and correlates packets based on rules" and 
>that this is better than a signature engine which is nothing more than a 
>"definition of an attack".  Can anyone expand on this clarification?  I'm 
>under the impression that a rule in a *.rules file is basically a 
>"signature".  Do you think Jay is referring to the ability to have 
>pre-processor plug-ins that can normalize data before running against the 
>signatures (sorry, I mean rules)?  Aren't they basically the same thing 
>when it comes right down to it?

I think the comparison here is between something purely text-match-only as 
being a "signature" but snort rules are multi-conditioned, and can have 
data-dependant byte jumps, etc.





More information about the Snort-users mailing list