Snort 2.1 Intrusion Detection, Second Edition
This brand-new edition of the best-selling Snort book covers all the latest features of the version 2.1 upgrade to the Snort product.
TABLE OF CONTENTS Snort 2.1 Intrusion Detection, Second Edition
Chapter 4: Inner Workings
Introduction
In this chapter, we will be discussing the life of a packet inside Snort the hows, whys, and whats of Snort s inner workings. First, we ll look at how packets get into Snort. Then, we ll look at how Snort decodes packets. Next, we ll look at how Snort detects attacks. We will discuss preprocessors and output plug-ins; however, these are covered in more detail in Chapters 6 and 7, respectively.
The Life of a Packet Inside Snort
The life of a packet inside Snort is rather simple. Snort uses pcap for reading packets. Snort tells pcap to use the callback function ProcessPacket whenever it reads a packet. ProcessPacket calls the decoder, which decodes each of the network layers (we ll discuss the decoder in a bit). After decoding, what happens next depends on how Snort was started. In IDS mode, Snort calls the detection engine. In packet-logging mode, Snort calls the output plug-ins, the same output plug-ins used by Snort when it generates an alert.
Decoders
Currently, Snort s decoder is pretty simple. Based on the libpcap link layer, Snort calls different functions to handle decoding the link layer. Snort supports a number of link layers: Ethernet, 802.11, Token Ring, FDDI, Cisco HDLC, SLIP, PPP, and OpenBSD s PF.
Each link-layer decoder function sets various pointers into the packet structure. Then, based on information it decoded, it sets up pointers into the packet structure for where the next layer starts, and calls the next layer s decoder. Each layer has a hard-coded list of...
Copyright Syngress Publishing, Inc. 2004 under license agreement with Books24x7
