[Snort-users] snort 2.9.x.x software flow chart

waldo kitty wkitty42 at ...14940...
Thu Apr 4 14:06:03 EDT 2013

On 4/4/2013 10:59, Lawrence R. Hughes,Sr. wrote:
> Waldo Kitty,
> Thanks for the reply.. Software flow from internet would be great..

here are a couple of possible answers...


figure 6 in the below old (2004) pdf concerning snort 2.4 might help... not sure 
how far off the mark it may be with today's 2.9 version of snort...


there's also the below from 5 Sep 2012 in this list...


i can't get to seclists.org or insecure.org right now... but there are a few 
links pointing to them as well... oh, wait... they are point to the above 
discussion i linked to on gmane...

here's a little something from the father of snort, martin roesch...


dunno if these are what you may be looking for or not... they are what i found 
from uncle google in a few minutes and using a couple of different search term 
phrases... "snort process flow", "snort packet diagram flow", "snort 
architecture diagram"... each without the quotes of course ;)

> Thanks,
> Larry
> -----Original Message-----
> From: waldo kitty
> Sent: Wednesday, April 03, 2013 6:43 PM
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] snort 2.9.x.x software flow chart
> On 4/3/2013 13:28, Lawrence R. Hughes,Sr. wrote:
>> Hi,
>> I am looking for a software flowchart for snort2.9.x.x
>> Anyone know where I can find a copy?
> are you speaking of the internet to snort flow or a flow chart for
> installation
> or something else?
>> Also, What program handles the capture point (where packets are deemed not
>> to be
>> a threat and are allowed to pass)?
> there are two options, if i'm understanding your question...
> the first option is snort in inline mode with DROP rules... in this mode,
> the
> traffic comes in on one interface to snort, gets processed, and then if it
> passes, snort feeds it out on another interface to the rest of the network
> being
> protected... if snort determines that it is unwanted traffic, then snort
> the traffic and doesn't pass it on inward...
> the second option is to use some software that monitors the alert file or
> the
> alerts being posted to the database... there are several packages that can
> handle the traffic at this stage... these packages have different ways of
> telling the firewall to block the traffic... they may issue instructions to
> iptables on a linux system or they may issue commands to some other software
> which would then initiate the block or drop...
>> I am sure a flowchart would be very useful to find out what code handles
>> what?
> i'm going to assume that this is a further clarification of the first query
> and
> that you are wanting to see how the traffic flows into and through snort's
> modules...

More information about the Snort-users mailing list