Thank you Marty.
As I understand, snort uses aho-corasick, wu-manber or boyer-moore
multi-pattern matching algorithms for literal strings(content/uri-content
options). And it uses pcre library for regular expressions. As I see, it
doesn't match all regular expressions simultaneously. It matchs the regular
expressions using pcre_exec function one by one. If we have too many rules
that contain regular expressions(pcre option), isn't it inefficient?
From: Martin Roesch <[EMAIL PROTECTED]>
To: Sevil SEN <[EMAIL PROTECTED]>
CC: [email protected]
Subject: Re: snort & regular expressions
Date: Wed, 25 Jan 2006 14:56:40 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Sevil,
We use a two-stage process in the Snort detection engine these days. In
it's standard configuration all the rules that are loaded in at runtime
have their longest pattern matching option (content/ uricontent) loaded
into a fast set-wise pattern matching engine. (Set-wise pattern matchers
match all patterns in the set simultaneously.) Once the engine is up and
running, traffic is run thru the set-wise pattern matcher to pre-qualify
rules that *may* fire. These rules are chained together and tested after
the prequalification stage, greatly reducing the number of rules that
have to be analyzed for any given data set. For the sake of building the
prequalification set-wise matching data, the PCRE rule options are ignored
and only tested when the full rules themselves are tested after
prequalification.
There are three basic pattern matching algorithms that we use in Snort
today, Wu-Manber, Aho-Corasick and Boyer-Moore. PCRE uses its own DFA/NFA
mechanisms behind the scenes.
Hope that helps!
-Marty
On Jan 25, 2006, at 2:01 PM, Sevil SEN wrote:
Hello,
I know that Snort uses efficient multiple-string algorithms. If the set
of strings contain regular expressions, which algorithm is used in Snort?
thanks..
_________________________________________________________________
Her yönüyle sohbetin tadi ancak Messenger ile çikar! http://
messenger.msn.com/?mkt=tr&DI=3490&XAPID=2584
---------------------------------------------------------------------- --
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus- ids_040708
to learn more.
---------------------------------------------------------------------- --
- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
iD8DBQFD19f4qj0FAQQ3KOARAjXLAJwN6EG7KIrdwSSoQdoD+ndBbMvpVQCfSKx0
tW43zCOMY/dPWmMLfhWPkzY=
=YFtm
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
_________________________________________________________________
Her yönüyle sohbetin tadi ancak Messenger ile çikar!
http://messenger.msn.com/?mkt=tr&DI=3490&XAPID=2584
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
