Summary
This chapter delved deep into the inner workings of Snort. Snort acquires raw packets directly from a network interface card. The acquisition of packets is performed by the libpcap, which is external to Snort. Libpcap is portable to every popular computing platform, making Snort a truly platform-independent application.
The packet decoder is the first internal component of Snort that a sniffed packet encounters. Its purpose is to strip off the various headers. It works by decoding up the TCP/IP stack, and placing the packet in a data structure. Packets are then routed to the preprocessors.
Snort's preprocessors perform two fundamental functions. They either manipulate packets so the detection engine can properly analyze them, or they ...
Get Intrusion Detection with Snort now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
