If you think of the Sourcefire Next-Generation IPS (NGIPS) as a high performance car, Snort® delivers the high performance engine. This engine consists of threat detection and prevention components that work together to reassemble traffic, prevent evasions, detect threats, and output information about these threats without creating false positives or missing legitimate threats.
The threat prevention process in Snort consists of multiple components which work together to reassemble traffic as a target host would see it, identify traffic that may contain threats, and match Snort rules against this traffic to recognize attacks. Together, these components efficiently detect threats and reduce or eliminate false alarms.
The threat prevention components of Snort include a packet classifier, which decides which packets are inspected; an IP defragmenter and a TCP reassembler, which ensure Snort inspects IP fragments and TCP segments in the proper order; a portscan processor, which watches for portscans; and a detection engine and preprocessors, which perform protocol normalization, rule matching, and many other detection functions.
Snort’s detection components reside at the core of the threat prevention capabilities of Sourcefire Appliances. They ensure that threats are detected, false positives and negatives are avoided, and detection performance is high.
To learn more about the Snort Engine, download the Snort Threat Prevention Components white paper.