Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: 3D linkx in snort

  1. #1
    Senior Member
    Join Date
    Sep 2003
    Posts
    161

    3D linkx in snort

    what are 3D rules set links in snort?? and what do they do?? i never understood that.

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    I've just upgraded my snort to version 2.0.5 and I have no idea of what rules you are talking about. Can you be more specific?
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Senior Member
    Join Date
    Sep 2003
    Posts
    161
    this is from http://www.snort.org/docs/lisapaper.txt
    Snort - Lightweight Intrusion Detection for Networks

    Martin Roesch
    roesch@clark.net

    The detection engine

    Snort maintains its detection rules in a two dimensional linked list of
    what are termed Chain Headers and Chain Options. These are lists of rules that
    have been condensed down to a list of common attributes in the Chain Headers,
    with the detection modifier options contained in the Chain Options. For
    example, if forty five CGI-BIN probe detection rules are specified in a given
    Snort detection library file, they generally all share common source and
    destination IP addresses and ports. To speed the detection processing, these
    commonalities are condensed into a single Chain Header and then individual
    detection signatures are kept in Chain Option structures.

    Figure 3 - Rule Chain logical structure
    -------------------------------------------------------------------------------
    ------------------------ ------------------------ -----
    | Chain Header | | Chain Header | | Chai
    | | | | |
    | Source IP Address | | Source IP Address | | Sour
    | Destination IP Address |--------->| Destination IP Address |--------->| Dest
    | Source Port | | Source Port | | Sour
    | Destination Port | | Destination Port | | Dest
    | | | | |
    ------------------------ ------------------------ -----
    | |
    | |
    | |
    \|/ \|/
    -----------V--------- -----------V---------
    | Chain Option | | Chain Option |
    | | | |
    | Content |
    | TCP Flags |
    | ICMP Codes/types |
    | Payload Size |
    | etc. |
    | |
    ---------------------
    |
    |
    |
    \|/
    -----------V---------
    | Chain Option |
    | |
    | Content |
    | TCP Flags |
    | ICMP Codes/types |
    | Payload Size |
    | etc. |
    | |
    ---------------------
    |
    |

    -------------------------------------------------------------------------------

    These rule chains are searched recursively for each packet in both
    directions. The detection engine checks only those chain options which have
    been set by the rules parser at run-time. The first rule that matches a
    decoded packet in the detection engine triggers the action specified in the
    rule definition and returns.



    ---------------------------------------------------------------------------------------------------------------------------
    **********************************************************************************


    any one know what this is talking about, i could not understand it.

  4. #4
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    where does the tern "d3 ruleset link" come in context?

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    qod: I'd kinda forget about that. The paper is about 3 years old and refers back to version 1.5 or so. We are at 2.0.5 right now and the detection engine no longer chains similar rules in the way that it did back then.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Senior Member
    Join Date
    Sep 2003
    Posts
    161
    no but i was reading the book snort 2 : intrusion detection and it still talks about 3 Dimentional links, that i still do not understand how they work or why they are needed??

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    what page.... there's nothing in the index and I need a reminder of what it is talking about.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Yes, I have the book too and I also searched snort.org so I am confused.

  9. #9
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    ah 114-115 118-119

    Page 118 Header "What is a 3d linked list"

    It's just a way to look at how (or map) how the rules are processed?
    Still consuming.


  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Ok..... All Snort is doing is creating an array of sorts out of the rules themselves to aid in speeding up rule matches. Frankly I can't think of a better way of explaining it than the book does. Look at the diagram of the tree as you read the text on the pages mentioned by Roadclosed and it should become crystal clear.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •