[Snort-devel] snort signatures categorization

i don't know if this is the correct list for my issue or not, but anyway.

we're a couple of students at cairo university in egypt and we're trying to write an ids and we're using the sigantures of snort as an attack signatures.

now we're writing the analysis engine and the parser and we want to try to do it in a more detailed way than snort, we want at the end to have more categories but less signatures in each category to have less pattern matching in the content and to be faster .

the problem is that when we started looking at the files it's difficult to get these more categories based on the source port, dest port and source and destination ips only.

so do you have any suggestions on how to try to group them together, how does snort do it exactly?

i took a look at the lisa paper but i need to know how the categories are determined? based on the files only, or do we get more than one category in each file?

best regards

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related snort.org Links snort-announce snort-cvsinfo snort-devel snort-sigs snort-users Request more information about Pantek

and thanks for your time