[Snort-devel] Multirule inspection engine

Daniel J. Roelker droelker at ...402...
Thu Jun 26 08:50:04 EDT 2003


Right you are.  Good thing that we built in anti-DOSing strategies for
these type of scenarios.  ;)

We keep track of what patterns have already fired for a particular
packet, so we don't need to keep analyzing the packet for the same
pattern.  Let's consider your example, but where the pattern is 100 NULL
bytes and the packet is 1400 bytes of NULLs.  That means that we would
be analyzing each byte after the 99th byte 100 times.  That's pretty
slow.  With the strategies that we built in, we match this pattern once,
verify the rule, and then don't match that pattern again.  That's how it
works for the Wu-Manbar pattern matcher.

As for Aho-Corasick, the pattern matcher intrinsically only looks at
each byte once, so we don't need to worry about inspecting bytes more
than once.  But we still verify each rule only once, when a pattern
matches and keep track that the pattern has already been verified. If
that pattern is seen again, we just continue pattern matching for the
next unseen pattern.

Thanks for bringing that aspect up about the new detection engine.  We
were wondering when someone was going to ask about that.

Dan

On Mon, 2003-06-23 at 23:37, Antonatos Spiros wrote:
> well there is a performance penalty here. Let's consider a traffic flow
> where each packet's payload is consisted 
> 
> only of zeros. There are some rules that search for |00 00| in the payload.
> That means finding at about 700 occurences
> 
> of |00 00| in  one packet (assuming 1400 bytes payload) whereas only one
> occurrence is enough.
> 
>  
> 
> Antonatos Spiros
> 
> -----Original Message-----
> From: snort-devel-admin at lists.sourceforge.net
> [mailto:snort-devel-admin at lists.sourceforge.net] 
> Sent: Δευτέρα, 23 Ιουνίου 2003 10:53 μμ
> To: snort-devel-admin at lists.sourceforge.net;
> snort-devel at lists.sourceforge.net
> Subject: RE: [Snort-devel] Multirule inspection engine
> 
>  
> 
> The Wu manber and most multi-pattern search engines find all occurrences of
> patterns. However, remember snort only logs one event per packet.  So, we
> queue up all of the occurrences, and select one. Usually the longest content
> that matches is considered the most significant and accurate. Someday we'll
> log multiple packets.
> 
>  
> 
> -----Original Message-----
> From: snort-devel-admin at lists.sourceforge.net
> [mailto:snort-devel-admin at lists.sourceforge.net] 
> Sent: Monday, June 16, 2003 3:54 PM
> To: snort-devel at lists.sourceforge.net
> Subject: [Snort-devel] Multirule inspection engine
> 
>  
> 
> The engine (based on wu manber algorithm) finds all the occurrences of a
> pattern in a packet or the first one?
> 
>  
> 
> Antonatos Spiros
> 
>  
> 
-- 
Daniel Roelker
Software Developer
Sourcefire, Inc.





More information about the Snort-devel mailing list