Architecture framework of Snort (1)

 

Snort has many running Modes

For example:

 

# Define mode_packet_dump 1

# Define mode_packet_log 2

# Define mode_ids 3

# Define mode_test 4

# Define mode_rule_dump 5

# Define mode_version 6

 

Extern u_int8_t runmode;

 

 

 

The following section only analyzes the mode_ids mode ....

 

Main ()

{

Parsesponline function ===" initialize global variable PV;

 

Initoutputplugins () ;==> Generate an Alarm Type Library...

For example:

# Define nt_output_alert 0x1/* output node type alert */
# Define nt_output_log 0x2/* output node type log */
# Define nt_output_special 0x4/* Special output node type */

Initpreprocessors ()

Initplugins () ;== "generate the detection plug-in library ....

 

Parserulesfile (Pv. config_file, 0, parse_rule_lines) ;== "parse the configuration file. The most important step is to select the alarm type linked list from the Alarm Type Library according to the configuration, select a plug-in from the detection plug-in library according to the configuration to generate a rule tree ..

 

Setpktprocessor (); select the package processor based on the network card type ..

 

Fpcreatefastpacketdetection (); generate a quick detection rule tree based on the generated rule tree...

 

Interfacethread (); starts to capture packets, analyzes and matches packets with the selected package processor, and generates alarms...

}

 

The next section describes how to generate a rule tree .. The flexible plug-in technique is used here ..