第一层结构：RuleListNode
typedef struct _RuleListNode
{
   ListHead *RuleList;         /* The rule list associated with this node */
    int mode;                   /* the rule mode */
    int rval;                   /* 0 == no detection, 1 == detection event */
    int evalIndex;              /* eval index for this rule set */
    char *name;                 /* name of this rule list (for debugging)  */
    struct _RuleListNode *next; /* the next RuleListNode */
} RuleListNode;
    数据结构RuleListNode链表代表了系统支持的规则类型，包Alert,Log,Pass,Activate,Dynamic。每链表节电又通过ListHead结构类型字段RuleList指向下面的规则链表。

第二层结构：ListHead
typedef struct _ListHead
{
    RuleTreeNode *IpList;
    RuleTreeNode *TcpList;
    RuleTreeNode *UdpList;
    RuleTreeNode *IcmpList;
    struct _OutputFuncNode *LogList;
    struct _OutputFuncNode *AlertList;
    struct _RuleListNode *ruleListNode;
} ListHead;
    数据结构ListHead中若干字段IpList , TcpList , UdpList , IcmpList等又分别指向各协议类型划分的规则链表，同时，可能有一个回指针去对应RuleListNode节点。


第三层结构：RuleTreeNode
typedef struct _RuleTreeNode
{
    RuleFpList *rule_func; /* match functions.. (Bidirectional etc.. ) */

    int head_node_number;

    int type;

    IpAddrSet *sip;
    IpAddrSet *dip;

    int not_sp_flag;     /* not source port flag */

    u_short hsp;         /* hi src port */
    u_short lsp;         /* lo src port */

    int not_dp_flag;     /* not dest port flag */

    u_short hdp;         /* hi dest port */
    u_short ldp;         /* lo dest port */

    u_int32_t flags;     /* control flags */

    /* stuff for dynamic rules activation/deactivation */
    int active_flag;
    int activation_counter;
    int countdown;
    ActivateList *activate_list;

    struct _RuleTreeNode *right;  /* ptr to the next RTN in the list */

    OptTreeNode *down;   /* list of rule options to associate with this
                            rule node */
    struct _ListHead *listhead;

} RuleTreeNode;
    最基础的数据结构包括RuleTreeNode和OptTreeNode,分别代表最基本的规则链表头和规则节
点，并分别定义。

snort三维规则链表数据结构图如下：