Introduction

Snort s detection capabilities originated with, and have evolved around, detecting attacks by matching packet data against well-defined patterns. Those well-defined patterns, or rules, are an evolution of signatures. Signatures are basically specifications of attacks via number and string matching against particular parts of the packet. For example, a packet directed to port 80 containing cmd.exe is generally a good sign of a hacker attacking a Windows-based Web server. An Intrusion Detection System (IDS) can detect this attack fairly well by checking destination port number, TCP flags (look for the ACK flag set, with the SYN flag off), and doing a simple string match against the data portion of the TCP segment. Rules are much like this, but bring an added flexibility and intelligence, allowing things such as compound statements, as in trigger if you match this and don t match that, rules activated by a match on another rule, and finer specification of how to search for a pattern. This pattern-matching core might seem overly simple, but it is this simplicity that makes Snort one of the fastest Network-based IDSs (NIDSs) available. Snort can keep up with fast and heavily loaded networks because it generally has a well-defined amount of work to do for each packet that it must examine.

There was great demand for Snort to move beyond its rule-matching design. For example, one requested feature was protocol anomaly detection, where Snort could detect that a packet s data doesn t obey the rules of the protocol to which it belongs.