Components of Snort


15


  The application layer level header. Application layer headers include, but are


not limited to, DNS header, FTP header, SNMP header, and SMTP header. You


may have to use some indirect methods for application layer headers, like offset


of data to be looked for.


  Packet payload. This means that you can create a rule that is used by the


detection engine to find a string inside the data that is present inside the packet.


The detection engine works in different ways for different versions of Snort. In all


1.x versions of Snort, the detection engine stops further processing of a packet when a


rule is matched. Depending upon the rule, the detection engine takes appropriate action


by logging the packet or generating an alert. This means that if a packet matches criteria


defined in multiple rules, only the first rule is applied to the packet without looking for


other matches. This is fine except for one problem. A low priority rule generates a low


priority alert, even if a high priority rule meriting a high priority alert is located later in


the rule chain. This problem is rectified in Snort version 2 where all rules are matched


against a packet before generating an alert. After matching all rules, the highest priority


rule is selected to generate the alert.


The detection engine in Snort version 2.0 is completely rewritten so that it is a lot


faster compared to detection in earlier versions of Snort. While Snort 2.0 is still not in


release at the time of writing this book, earlier analysis shows that the new detection


engine may be up to eighteen times faster.


1.3.4


Logging and Alerting System


Depending upon what the detection engine finds inside a packet, the packet may


be used to log the activity or generate an alert. Logs are kept in simple text files, tcp 


dump style files or some other form. All of the log files are stored under  /var/log/


snort folder by default. You can use   l command line options to modify the location


of generating logs and alerts. Many command line options discussed in the next chapter


can modify the type and detail of information that is logged by the logging and alerting


system.


1.3.5


Output Modules


Output modules or plug ins can do different operations depending on how you


want to save output generated by the logging and alerting system of Snort. Basically


these modules control the type of output generated by the logging and alerting system.


Depending on the configuration, output modules can do things like the following:








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      toronto web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Java Hosting
Cheapest Hosting



Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved