[Snort-devel] How does the pattern matching engine do with multi-content signatures?

Rong-Tai Liu tie at ...2176...
Fri Sep 12 09:19:41 EDT 2003


I'm studying the pattern-matching algorithms of Snort.

Snort 2.0 change the default search engine to multi-pattern matching algorithm such like Wu's and Aho-Corasick.
so How do they do with the multi-content signatures? 

For exmaple, if a signature contains 4 content strings, will these four string be inserted into the search engine in the same time during signature insertion? 
(And a signature is matched only if all of these 4 matched)
Or they only insert the longest one into the table, and if it's matched then try to use BM or something to search for the rest three?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030912/019f0c17/attachment.html>

More information about the Snort-devel mailing list