Sophie

Sophie

distrib > Mandriva > 2006.0 > x86_64 > by-pkgid > 56c5837d9d111437878acba01e4df73e > files > 3078

snort-2.3.3-2.3.20060mdk.x86_64.rpm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">

<!--Converted with LaTeX2HTML 2002-2-1 (1.71)
original version by:  Nikos Drakos, CBLU, University of Leeds
* revised and updated by:  Marcus Hennecke, Ross Moore, Herb Swan
* with significant contributions from:
  Jens Lippmann, Marek Rouchal, Martin Wilck and others -->
<HTML>
<HEAD>
<TITLE>5.2 Snort dataflow</TITLE>
<META NAME="description" CONTENT="5.2 Snort dataflow">
<META NAME="keywords" CONTENT="snort_manual">
<META NAME="resource-type" CONTENT="document">
<META NAME="distribution" CONTENT="global">

<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="LaTeX2HTML v2002-2-1">
<META HTTP-EQUIV="Content-Style-Type" CONTENT="text/css">

<LINK REL="STYLESHEET" HREF="snort_manual.css">

<LINK REL="next" HREF="node30.html">
<LINK REL="previous" HREF="node28.html">
<LINK REL="up" HREF="node27.html">
<LINK REL="next" HREF="node30.html">
</HEAD>

<BODY >
<!--Navigation Panel-->
<A NAME="tex2html919"
  HREF="node30.html">
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A> 
<A NAME="tex2html915"
  HREF="node27.html">
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A> 
<A NAME="tex2html909"
  HREF="node28.html">
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A> 
<A NAME="tex2html917"
  HREF="node1.html">
<IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents" SRC="contents.png"></A>  
<BR>
<B> Next:</B> <A NAME="tex2html920"
  HREF="node30.html">5.3 The Snort Team</A>
<B> Up:</B> <A NAME="tex2html916"
  HREF="node27.html">5. Snort Development</A>
<B> Previous:</B> <A NAME="tex2html910"
  HREF="node28.html">5.1 Submitting Patches</A>
 &nbsp; <B>  <A NAME="tex2html918"
  HREF="node1.html">Contents</A></B> 
<BR>
<BR>
<!--End of Navigation Panel-->
<!--Table of Child-Links-->
<A NAME="CHILD_LINKS"><STRONG>Subsections</STRONG></A>

<UL>
<LI><A NAME="tex2html921"
  HREF="node29.html#SECTION00621000000000000000">5.2.1 Preprocessors</A>
<LI><A NAME="tex2html922"
  HREF="node29.html#SECTION00622000000000000000">5.2.2 Detection Plugins</A>
<LI><A NAME="tex2html923"
  HREF="node29.html#SECTION00623000000000000000">5.2.3 Output Plugins</A>
</UL>
<!--End of Table of Child-Links-->
<HR>

<H1><A NAME="SECTION00620000000000000000">
5.2 Snort dataflow</A>
</H1>
First, traffic is acquired from the network link via libpcap. Packets
are passed through a series of decoder routines that first fill out
the packet structure for link level protocols then are further decoded
for things like TCP and UDP ports.

<P>
Packets are then sent through the registered set of preprocessors.
Each preprocessor checks to see if this packet is something it should
look at.

<P>
Packets are then sent through the detection engine. The detection
engine checks each packet against the various options listed in the
Snort rules files. Each of the keyword options is a plugin. This allows
this to be easily extensible.

<P>

<H2><A NAME="SECTION00621000000000000000">
5.2.1 Preprocessors</A>
</H2>

<P>
For example, a TCP analysis preprocessor could simply return if the
packet does not have a TCP header. It can do this by checking: 

<P>
<PRE>
if (p-&gt;tcph==null)
   return;
</PRE>
Similarly, there are a lot of packet_flags available that can be
used to mark a packet as ``reassembled'' or logged. Check out src/decode.h
for the list of pkt_* constants.

<P>

<H2><A NAME="SECTION00622000000000000000">
5.2.2 Detection Plugins</A>
</H2>
Basically, look at an existing output plugin and copy it to a new item
and change a few things. Later, we'll document what these few things are.

<P>

<H2><A NAME="SECTION00623000000000000000">
5.2.3 Output Plugins</A>
</H2>
Generally, new output plugins should go into the barnyard project
rather than the Snort project. We are currently cleaning house on the
available output options.

<P>
<HR>
<!--Navigation Panel-->
<A NAME="tex2html919"
  HREF="node30.html">
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A> 
<A NAME="tex2html915"
  HREF="node27.html">
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A> 
<A NAME="tex2html909"
  HREF="node28.html">
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A> 
<A NAME="tex2html917"
  HREF="node1.html">
<IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents" SRC="contents.png"></A>  
<BR>
<B> Next:</B> <A NAME="tex2html920"
  HREF="node30.html">5.3 The Snort Team</A>
<B> Up:</B> <A NAME="tex2html916"
  HREF="node27.html">5. Snort Development</A>
<B> Previous:</B> <A NAME="tex2html910"
  HREF="node28.html">5.1 Submitting Patches</A>
 &nbsp; <B>  <A NAME="tex2html918"
  HREF="node1.html">Contents</A></B> 
<!--End of Navigation Panel-->

</BODY>
</HTML>

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional