The new detection engine uses a setwise methodology for analysing snort rules. The detection engine builds four rule groups: TCP, UDP, ICMP, and IP. When processing a packet, the new detection engine first checks the protocol. If the protocol is TCP, UDP, or ICMP, the detection engine checks the ruleset for that protocol; otherwise, it checks the IP ruleset. Each ruleset is comprised of a rule-group based on the longest content from every rule on each port. For ICMP packets, the rule-group is based on the ICMP type specified in each ICMP rule.
For each packet that comes in, the detection engine calls prmFindRuleGroup, which returns the appropriate rule-group based on the packet submitted. prmFindRuleGroup returns the appropriate rule…show more content… Then, based on the action, the configured numbers of alerts are generated. For example, if the configured alert type order is ”pass, alert, log,” and there are any pass rules, then the traffic is passed and no alerts are logged. If there are no pass rules, then the first three events are logged ordered by the longest content or priority. By default, the detection engine orders the rules to fire based on longest content.
Output module – act upon the detection of attacks. Snort can output to log record, display etc. a message in different formats - file syslog, ASCII, PCAP, Unified2 (binary preformat for quick analysis) as depicted in figure 6. (Snort.org, 2017) Figure 6. – Where output plugin stay in Snort architecture
Most open source IDS are working as a result of multiple software and conditions. As example, Snort can run as a daemon (service) or as standalone application, but it may need additional resources and services. It can be enumerate a SQL server for its database logging or a Syslog server for log output, a Web Server for its GUI and multiple other library dependences. Usually the commercial IDS are able to retrieve and analyse data form multiple sources and platforms. The essential point is the fact an IDS can be hosted on one machine with all dependencies or the services can be hosted on several machines that configured work as a unitary system. Nevertheless, when the IDS services are deployed on multiple machines all of those must be secured