Snort has many running Modes
For example:
# Define mode_packet_dump 1
# Define mode_packet_log 2
# Define mode_ids 3
# Define mode_test 4
# Define mode_rule_dump 5
# Define mode_version 6
Extern u_int8_t runmode;
The following section only analyzes the mode_ids mode ....
Main ()
{
Parsesponline function ===" initialize global variable PV;
Initoutputplugins () ;==> Generate an Alarm Type Library...
For example:
# Define nt_output_alert 0x1/* output node type alert */
# Define nt_output_log 0x2/* output node type log */
# Define nt_output_special 0x4/* Special output node type */
Initpreprocessors ()
Initplugins () ;== "generate the detection plug-in library ....
Parserulesfile (Pv. config_file, 0, parse_rule_lines) ;== "parse the configuration file. The most important step is to select the alarm type linked list from the Alarm Type Library according to the configuration, select a plug-in from the detection plug-in library according to the configuration to generate a rule tree ..
Setpktprocessor (); select the package processor based on the network card type ..
Fpcreatefastpacketdetection (); generate a quick detection rule tree based on the generated rule tree...
Interfacethread (); starts to capture packets, analyzes and matches packets with the selected package processor, and generates alarms...
}
The next section describes how to generate a rule tree .. The flexible plug-in technique is used here ..