Snort 1 – key features and limitations
Snort 1.0 was released in April 1999. It was the year of the Melissa email virus. The ping of death, Smurf, Local Area Network Denial (LAND) attacks, and website defacements were some of the threats of the time. Detecting such attacks only required basic decoding of the various packet headers.
Snort 1.0 had very limited features. The main features of Snort 1.0 included packet decoding functionality, a detection engine (for matching packets against rules), and the feature to create alerts/logs. The Snort rules capability was also limited and supported on the following keywords: content, msg, flags, ttl, itype, and icode.
The Snort code base contained just 10 files and 5,000 lines of code: A sample rules file was part of the Snort 1.0 release and had 18 signatures, and a subset of that is shown as follows. Notice the simplicity of the signatures:
alert tcp any any -> 192.168.1.0/24 any (msg:"SYN-FIN scan!"; flags: SF...
