Home page logo

snort logo Snort mailing list archives

Re: snort 2.9.x.x software flow chart
From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 04 Apr 2013 13:06:03 -0500

On 4/4/2013 10:59, Lawrence R. Hughes,Sr. wrote:
Waldo Kitty,

Thanks for the reply.. Software flow from internet would be great..

here are a couple of possible answers...


figure 6 in the below old (2004) pdf concerning snort 2.4 might help... not sure 
how far off the mark it may be with today's 2.9 version of snort...


there's also the below from 5 Sep 2012 in this list...


i can't get to seclists.org or insecure.org right now... but there are a few 
links pointing to them as well... oh, wait... they are point to the above 
discussion i linked to on gmane...

here's a little something from the father of snort, martin roesch...


dunno if these are what you may be looking for or not... they are what i found 
from uncle google in a few minutes and using a couple of different search term 
phrases... "snort process flow", "snort packet diagram flow", "snort 
architecture diagram"... each without the quotes of course ;)


-----Original Message-----
From: waldo kitty
Sent: Wednesday, April 03, 2013 6:43 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] snort 2.9.x.x software flow chart

On 4/3/2013 13:28, Lawrence R. Hughes,Sr. wrote:
I am looking for a software flowchart for snort2.9.x.x
Anyone know where I can find a copy?

are you speaking of the internet to snort flow or a flow chart for
or something else?

Also, What program handles the capture point (where packets are deemed not
to be
a threat and are allowed to pass)?

there are two options, if i'm understanding your question...

the first option is snort in inline mode with DROP rules... in this mode,
traffic comes in on one interface to snort, gets processed, and then if it
passes, snort feeds it out on another interface to the rest of the network
protected... if snort determines that it is unwanted traffic, then snort
the traffic and doesn't pass it on inward...

the second option is to use some software that monitors the alert file or
alerts being posted to the database... there are several packages that can
handle the traffic at this stage... these packages have different ways of
telling the firewall to block the traffic... they may issue instructions to
iptables on a linux system or they may issue commands to some other software
which would then initiate the block or drop...

I am sure a flowchart would be very useful to find out what code handles

i'm going to assume that this is a further clarification of the first query
that you are wanting to see how the traffic flows into and through snort's

Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]