Snort
- versions
- v2: non-modular
- v3: modular, multi-threaded
- protocols
- TCP
- UDP
- ICMP
- HTTP: Snort v3
- actions
- alert: + log
- log
- pass
- drop: + log
- reject: TCP RST or ICMP unreachable, log
- Sdrop: block without log
- no FQDN lookup
SSP
- Snort Security Platform
- functions:
- data acquisition
- encoding/decoding
- flow normalization
- defragmentation
- stream assembly
DAQ
- data acquisition module
- processes PCAP (one interface, IDS) or uses afpacket (2 interfaces, IPS)