[Snort-users] Rule based vs. Signature based detection engine
tfulton9909 at ...5068...
Tue Jul 20 22:44:05 EDT 2004
I want to understand this difference for a paper I am writing.
Can you explain "multi-conditioned, and can have data-dependant byte jumps,
I am but a mere mortal.
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Matt Kettler
Sent: Tuesday, July 20, 2004 10:04 PM
To: Tom Fulton; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Rule based vs. Signature based detection engine
At 10:50 PM 7/20/2004, Tom Fulton wrote:
>The Snort 2.0 book by Jay Beale, et. al., (p. 142) explains that Snort
>rules-based, "which collects and correlates packets based on rules" and
>that this is better than a signature engine which is nothing more than a
>"definition of an attack". Can anyone expand on this clarification? I'm
>under the impression that a rule in a *.rules file is basically a
>"signature". Do you think Jay is referring to the ability to have
>pre-processor plug-ins that can normalize data before running against the
>signatures (sorry, I mean rules)? Aren't they basically the same thing
>when it comes right down to it?
I think the comparison here is between something purely text-match-only as
being a "signature" but snort rules are multi-conditioned, and can have
data-dependant byte jumps, etc.
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users