[Snort-devel] Latest cvs updates

Daniel Roelker droelker at ...402...
Thu Oct 10 07:23:05 EDT 2002

There are three major changes to the Snort detection engine, two of those
have to do with performance, the other one deals with event queuing.

The first change is a rule optimizer.  This basically reads all of the rules
from the RTN/OTN lists and group those into unique rule sets based on
protocol parameters.  This insures that each packet that is analyzed can
select one group of rules and that's it.  Since each packet deals with one
rule group, set inspection methodologies can be utilized.  Obviously this
increases performance drastically.

The second change is a multi-rule detection engine.  This is where the rules
in a group are actually processed using set analysis.  As you picked up on
in your next post, there are two types of multi-pattern matchers you can
use:  one is a wu-manber algorithm and the other is a classic aho-corasick
algorithm.  You should note though, that what makes this whole detection
philosophy different is the way in which the rule optimizer creates rule
subsets based on unique parameters.  This allows the multi-rule detection
engine to work much better than previous attempts at speeding up Snort.

The third change is in event queuing.  Snort now detects all occurrences of
alerts in a packet/stream and queues them for a final selection process.
Currently, this is based on the longest content match, which should give you
a more specific alert.  For example, instead of picking up an HTTP directory
traversal, you would see a cmd.exe alert.

This code is contained in the following files:


To answer your question about how to enable mwm or ac, here's how:

config detection: search-method [ac or mwm]

some of the other options are:

* this turns on a lot of information for you to see when building rule sets
and post processing.

* this is a little performance boost by telling the detection engine to not
inspect stream inserts, since they will (hopefully :) ) be flushed through
the detection engine.  You might want to run some tests turning this on so
you can see the difference.

* this allows you to tell the detection engine how many events to queue for
a packet before selecting one.

Hope this helps a little.


On 10/10/02 6:52 AM, "Kreimendahl, Chad J" <Chad.Kreimendahl at ...1167...> wrote:

> I noticed the massive amount of changes, coupled with a change in build
> number to '1'.   Anyone care to enlighten those of us who chose to test
> this baby out as to what all the wonderous new features are?... My guess
> from the cvs log... Performance increase, change to output stuffs...
> -----Original Message-----
> From: Chris Green [mailto:chrisgreen at ...64...]
> Sent: Thursday, October 10, 2002 12:06 AM
> To: snort-cvsinfo at lists.sourceforge.net
> Subject: [snort-cvs] CVS: snort - chrisgreen
> CVSROOT:    /cvsroot/snort
> Module name:    snort
> Changes by:    chrisgreen at ...1161...    2002/10/09 22:06:00
> Modified files:
> .              : ChangeLog config.h.in configure configure.in
> contrib        : Makefile.in
> src            : Makefile.am Makefile.in checksum.h decode.c
>                 decode.h detect.c detect.h log.c parser.c
>                 parser.h plugbase.c plugbase.h signature.c
>                 snort.c snort.h util.c
> src/detection-plugins: sp_clientserver.c sp_icmp_code_check.c
>                       sp_icmp_id_check.c sp_icmp_seq_check.c
>                       sp_icmp_type_check.c sp_icmp_type_check.h
>                       sp_ip_proto.c sp_ip_proto.h
>                       sp_ip_same_check.c sp_ipoption_check.c
>                       sp_pattern_match.c sp_pattern_match.h
>                       sp_react.c sp_react.h sp_respond.c
>                       sp_rpc_check.c sp_session.c
>                       sp_tcp_ack_check.c sp_tcp_flag_check.c
>                       sp_tcp_seq_check.c sp_tcp_win_check.c
> src/output-plugins: spo_alert_smb.c spo_alert_syslog.c
>                    spo_alert_unixsock.c spo_csv.c
>                    spo_log_ascii.c spo_log_tcpdump.c
>                    spo_unified.c spo_xml.c
> src/preprocessors: Makefile.am Makefile.in spp_arpspoof.c
>                   spp_asn1.c spp_bo.c spp_conversation.c
>                   spp_fnord.c spp_frag2.c spp_frag2.h
>                   spp_http_decode.c spp_http_decode.h
>                   spp_perfmonitor.c spp_perfmonitor.h
>                   spp_portscan.c spp_portscan2.c spp_stream4.c
>                   spp_stream4.h spp_telnet_negotiation.c
>                   spp_telnet_negotiation.h
> src/win32      : Makefile.in
> src/win32/WIN32-Prj: snort.dsp
> Added files:
> src            : acsmx.c acsmx.h bitop.h fpcreate.c fpcreate.h
>                 fpdetect.c fpdetect.h mpse.c mpse.h mwm.c mwm.h
>                 pcrm.c pcrm.h smalloc.h
> src/preprocessors: http-resp.c http-resp.h perf-base.c
>                   perf-base.h perf-event.c perf-event.h
>                   perf-flow.c perf-flow.h perf.c perf.h
>                   sfprocpidstats.c sfprocpidstats.h
>                   spp_httpflow.c spp_httpflow.h
> Removed files:
> src            : perf-base.c perf-base.h perf-event.c
>                 perf-event.h perf-flow.c perf-flow.h perf.c
>                 perf.h
> Log message:
> * merged in Sourcefire perfmods, httpflow, newer perfmonitor
> * merged with snort-1.9.0 head
> will work on win32 proj/docs soon
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-cvsinfo mailing list
> Snort-cvsinfo at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-cvsinfo
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

Daniel Roelker
Software Engineer
droelker at ...402...


More information about the Snort-devel mailing list