The Detection Engine
The detection engine isthe primary Snort component. It has two major functions: rules parsing and signature detection. The detection engine builds attack signatures by parsing Snort rules. Snort rules are read line by line, and are loaded into an internal data structure. The rules are loaded only when the Snort service is started, meaning that to modify, add, or delete a rule you must refresh the Snort daemon.
The detection engine runs traffic through the now loaded rule set in the order that it loads them into memory. You can dictate which rules are run first by prioritizing and then organizing in the manner you see fit. Rules are split into two functional sections: the rule header (rule tree node) and the rule option (option tree node). The rule header contains information about the conditions for applying the signature. You can specify the protocol, source, and destination IP address ranges, the port, and the log type in the rule header. The rule header for the OpenSSH CRC32 remote exploit is:
alert tcp $EXTERNAL_NET any -> $HOME_NET 22
The rule option for the same exploit begins and ends with a parenthetical. The rule option contains the actual signature, the priority level, and some documentation about the attack.
(msg:"EXPLOIT ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; reference:bugtraq,2347; reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1324; rev:3;)
The detection engine processes rule headers and rule options differently. The detection engine builds a linked list decision tree. The nodes of the tree test each incoming packet for increasingly precise signature elements. A packet is tested to see whether it is TCP; if so, it is passed to the portion of the tree that has rules for TCP. The packet is then tested to see whether it matches a source address in a rule; if so, it passes down the corresponding rule chains. This process happens until the packet either matches an attack signature or tests clean and is dropped. The important thing to remember is that Snort commences testing a packet after it has found a signature to match to the packet. Even if the packet could possibly match another signature, the detection engine moves on to the next packet. This is why it is valuable to organize rules so that the most malicious signatures are loaded first. Look for this to change in the near future; Snort's developers are hard at work implementing a last-exit strategy.