This chapter delved deep into the inner workings of Snort. Snort acquires raw packets directly from a network interface card. The acquisition of packets is performed by the libpcap, which is external to Snort. Libpcap is portable to every popular computing platform, making Snort a truly platform-independent application.
The packet decoder is the first internal component of Snort that a sniffed packet encounters. Its purpose is to strip off the various headers. It works by decoding up the TCP/IP stack, and placing the packet in a data structure. Packets are then routed to the preprocessors.
Snort's preprocessors perform two fundamental functions. They either manipulate packets so the detection engine can properly analyze them, or they examine traffic for suspicious use that cannot be discovered by signature detection alone. Snort has a variety of preprocessors, most of which have been added to combat new methods of IDS evasion. Everything from polymorphic shellcode to fragmented packets can be detected with the aid of Snort's preprocessors. After traffic is run through the preprocessors, it is sent on to the detection engine.
The detection engine is responsible for the actual signature detection. Snort rules are loaded into the detection engine and are categorized in a tree-like data structure. This tree structure is implemented to be more efficient by minimizing the number of tests the detection engine has to perform to discover malicious activity. After malicious activity has been discovered, Snort writes intrusion data to any number of output plugins.
The output plugins are the means Snort has to get data from the detection engine to you. Snort can be configured with multiple output plugins to better facilitate intrusion data management. Output plugins can range from simple comma-delimited output to complex relational database output. An output format has been specifically designed for Snort to outsource the writing to databases, which has traditionally been a bottleneck.