[Snort-devel] A question about Pattern Matching in Snort 1.9.0beta6

shadi Rostami shadi at ...1579...
Wed Sep 18 16:56:01 EDT 2002


Hello,
It seems that Mike Fisk's pattern matching algorithm is integrated in Snort
1.9.0beta6 algorithm.
However, in Mike's algorithm he shows that these methods should be used for
different set sizes to achieve the best throughput:
set_size <= 2 ->BM
2 <set_size <= 100 -> SBMH
set_size > 100 -> AHO.

However, when I look at the code in substr.c, it seems that if the set_size
is less than 101, AHO is used.
SBMH is used only when the set size is more than 100.
I have attached that piece of code to this email.
I was wondering if I am missing something, or there is a bug in the code.

Thanks
--Shadi

fast_compile(substr_object * set)
{
  struct pattern * p;
  int setsize=0;

  for (p=set->patterns; p; p=p->next)
    setsize++;

  /* Choose algorithm based on size */
  if (setsize <= 2) { /* Use Horspool */
    set->search = &horspool_search;
    set->compile = &horspool_compile;
  } else if (setsize < 101) { /* Use Aho-Corasick */
    set->search = &ac_search;
    set->compile = &ac_compile;
  } else {
    set->search = &set_search;
    set->compile = &set_compile;
  }

  return set->compile(set);
}

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20020918/57c526a7/attachment.html>


More information about the Snort-devel mailing list