Detecting Suspicious Traffic via Signatures
The most effective means to date of detecting persons attempting to attack a system or network of systems is via signature-based detection. Signature-based detection is based on the premise that abnormal or malicious network traffic fits a distinct pattern, whereas normal or benign traffic does not. Because malicious traffic can be different in structure and content from all other normal traffic, it is possible to create an attack signature that matches it.
With Snort, a malicious traffic signature is used to create a rule that is loaded into Snort's detection engine. The detection engine is the primary component of Snort and is responsible for signature matching.
The easiest way to understand how Snort's ...