[Snort-users] snort 2.9.x.x software flow chart

waldo kitty wkitty42 at ...14940...
Thu Apr 4 14:06:03 EDT 2013


On 4/4/2013 10:59, Lawrence R. Hughes,Sr. wrote:
> Waldo Kitty,
>
> Thanks for the reply.. Software flow from internet would be great..

here are a couple of possible answers...

http://stackoverflow.com/questions/7962791/i-want-to-know-full-flow-of-how-snort-processes-a-packet


figure 6 in the below old (2004) pdf concerning snort 2.4 might help... not sure 
how far off the mark it may be with today's 2.9 version of snort...

http://www.princeton.edu/~soumyas/papers/bell_labs_report_snort.pdf


there's also the below from 5 Sep 2012 in this list...

http://comments.gmane.org/gmane.comp.security.ids.snort.general/37619


i can't get to seclists.org or insecure.org right now... but there are a few 
links pointing to them as well... oh, wait... they are point to the above 
discussion i linked to on gmane...


here's a little something from the father of snort, martin roesch...

http://securitysauce.blogspot.com/2007/11/snort-30-architecture-series-part-1.html


dunno if these are what you may be looking for or not... they are what i found 
from uncle google in a few minutes and using a couple of different search term 
phrases... "snort process flow", "snort packet diagram flow", "snort 
architecture diagram"... each without the quotes of course ;)



> Thanks,
> Larry
>
> -----Original Message-----
> From: waldo kitty
> Sent: Wednesday, April 03, 2013 6:43 PM
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] snort 2.9.x.x software flow chart
>
> On 4/3/2013 13:28, Lawrence R. Hughes,Sr. wrote:
>> Hi,
>> I am looking for a software flowchart for snort2.9.x.x
>> Anyone know where I can find a copy?
>
> are you speaking of the internet to snort flow or a flow chart for
> installation
> or something else?
>
>> Also, What program handles the capture point (where packets are deemed not
>> to be
>> a threat and are allowed to pass)?
>
> there are two options, if i'm understanding your question...
>
> the first option is snort in inline mode with DROP rules... in this mode,
> the
> traffic comes in on one interface to snort, gets processed, and then if it
> passes, snort feeds it out on another interface to the rest of the network
> being
> protected... if snort determines that it is unwanted traffic, then snort
> DROPs
> the traffic and doesn't pass it on inward...
>
> the second option is to use some software that monitors the alert file or
> the
> alerts being posted to the database... there are several packages that can
> handle the traffic at this stage... these packages have different ways of
> telling the firewall to block the traffic... they may issue instructions to
> iptables on a linux system or they may issue commands to some other software
> which would then initiate the block or drop...
>
>> I am sure a flowchart would be very useful to find out what code handles
>> what?
>
> i'm going to assume that this is a further clarification of the first query
> and
> that you are wanting to see how the traffic flows into and through snort's
> modules...






More information about the Snort-users mailing list