Ever wondered what the buffers look like inside of Snort? Want to see what the preprocessors and decoders do to your traffic?
Take a look at this new post by kpyke of our Vulnerability Research Team (VRT) here at Sourcefire. The post includes some great new example SO rules that you can use to really understand what is going on under the hood of Snort
http://blog.talosintel.com/2011/01/in-which-kpyke-looks-behind-green.html