-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Sevil,
We use a two-stage process in the Snort detection engine these days.
In it's standard configuration all the rules that are loaded in at
runtime have their longest pattern matching option (content/
uricontent) loaded into a fast set-wise pattern matching engine.
(Set-wise pattern matchers match all patterns in the set
simultaneously.) Once the engine is up and running, traffic is run
thru the set-wise pattern matcher to pre-qualify rules that *may*
fire. These rules are chained together and tested after the
prequalification stage, greatly reducing the number of rules that
have to be analyzed for any given data set. For the sake of building
the prequalification set-wise matching data, the PCRE rule options
are ignored and only tested when the full rules themselves are tested
after prequalification.
There are three basic pattern matching algorithms that we use in
Snort today, Wu-Manber, Aho-Corasick and Boyer-Moore. PCRE uses its
own DFA/NFA mechanisms behind the scenes.
Hope that helps!
-Marty
On Jan 25, 2006, at 2:01 PM, Sevil SEN wrote:
Hello,
I know that Snort uses efficient multiple-string algorithms. If the
set of strings contain regular expressions, which algorithm is used
in Snort?
thanks..
_________________________________________________________________
Her yönüyle sohbetin tadi ancak Messenger ile çikar! http://
messenger.msn.com/?mkt=tr&DI=3490&XAPID=2584
----------------------------------------------------------------------
--
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks
from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-
ids_040708 to learn more.
----------------------------------------------------------------------
--
- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
iD8DBQFD19f4qj0FAQQ3KOARAjXLAJwN6EG7KIrdwSSoQdoD+ndBbMvpVQCfSKx0
tW43zCOMY/dPWmMLfhWPkzY=
=YFtm
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
