Snort++ Internals

Snort++ (aka "Snort3" - currently in beta) is the latest version of Snort, a very popular Intrusion Detection System (IDS) / Intrusion Protection System (IPS). This site attempts to explain how Snort++ works by examining the underlying source code and supplementing the debugging.

I previously worked as a Snort security analyst and was often confused by what I regarded as cryptic Snort alerts. I was also surprised by the large number of false alerts. It occurred to me that Snort++ would be a good candidate for a detailed analysis of its source code (I've done this sort of thing before) and that it would be useful to supplement Snort++'s debugging so that a security analyst could better understand, in general, what was going on "under the hood" and understand why Snort++ had generated a specific alert.

How to use this site:

First read the two introductions - "UDP Example (Intro, part 1)" and "TCP Example (Intro, part 2)" - in that order. This documentation shows how Snort++ processes UDP and TCP sessions. Next, look at the "Snort++ packet viewer" tool. The packet viewer runs Snort++ in the background to generate debugging information that helps show what Snort++ does with each packet in a TCP session. The packet viewer shows the pseudo packets that are generated as well as which Inspectors and MPSEs are invoked for each packet, real and pseudo. (The amount of debugging will increase in the future.)

The other links go into more detail.

A note about the Snort++ version:

The packet viewer uses a modified version of Snort++ version 3.0.0 (Build 239) from 2.9.8-383 to generate its debugging information. In the future, the lag between the version that the packet viewer uses and the current version of Snort++ should decrease. (That being said, I think that a security analyst should have a choice. He/she should be able to either compile and use Snort++ as a normal desktop application that - after uploading a PCAP file - produces extensive debugging information in a manner that is easy for an analyst to understand, as the packet viewer attempts to do, or to compile and use Snort++ as a daemon/service on a server - which is currently the only option. Hopefully, one day, this will be the case.)

UDP Example (Intro, part 1)


TCP Example (Intro, part 2)


Snort++ packet viewer

In-depth analysis

AppId

HttpInspect

Modules

DAQ

(Example DAQ code - Christos)

workers

Pigs


Miscellaneous

Feedback

About Me

Previous Work