The role of inspectors
Ideally, the Snort system should analyze the network traffic as an end host or server would do in order to detect malicious or otherwise interesting activity.
For an end host, traffic data is first processed by the TCP/IP layers (layers 2–4) before reaching specific applications. There is a large number and a wide variety of applications, such as the following:
- Web clients (browsers) such as Mozilla Firefox and web servers such as Apache, which use the HTTP/HTTPS protocol.
- Mail clients such as Outlook and mail servers such as Nginx, which use protocols such as SMTP, IMAP, POP, and so on.
Similarly, in the case of Snort 3, the decoders perform the TCP/IP layer analysis (layer 2 to layer 4 analysis), and then the inspectors do the application-specific analysis. These modules implement the analysis logic to mimic the essential analysis done by the various application client and server programs.
Architecturally, inspectors are implemented...
