[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ids
Subject:    Re: Snort internals
From:       Martin Roesch <roesch () sourcefire ! com>
Date:       2002-01-02 18:43:00
[Download RAW message or body]

Hi Neil,
     The "3rd dimension" is the linked list of function pointers that
hangs off of each node in the RTN-OTN "tree" (table).  The list of
function pointers is walked (recursively) as each node is accessed on
the tree, so each data node in the tree knows how to test itself against
the current packet.  There are some further optimizations that can be
done to make it even faster, but I found that we became I/O bound before
we hit the wall on how fast the tree can be traversed.

There's no real documentation on this per se, but it's hinted at in the
1999 "lisapaper.txt" from the USENIX LISA conference that's up at
www.snort.org and you can see how the whole thing is built in
rules.[h|c] in the Snort source distro.  The detection engine starts in
the function Detect() therein.

     -Marty

ndesai01@tampabay.rr.com wrote:
> 
> I thought that snort only used a two dimentional linked
> list for the rule matching in the detection engine. I
> read Marty's presentation at BlackHat and he states
> that snort now uses a 3 dimentional linked list. Can
> any one please explain this to me or point me to
> some documentation on this. Thanks.
> 
> Neil

--
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch@sourcefire.com - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org
[prev in list] [next in list] [prev in thread] [next in thread]