[Snort-devel] How does the pattern matching engine do with multi-content signatures?

Marc Norton marc.norton at ...402...
Mon Sep 15 06:31:07 EDT 2003


The 2.0 detection engine selects one of the contents (the longest, for
now) and tests against it. If it is found, than the whole rule is
evaluated against the packet with a detailed inspection, which is an
enhanced version of what was present previous to 2.0.  The detailed rule
inspection will validate all of the contents, and any other rule
options.  The muli-pattern matching phase is just the higher speed rule
elimination phase.  
 
-----Original Message-----
From: snort-devel-admin at lists.sourceforge.net
[mailto:snort-devel-admin at lists.sourceforge.net] On Behalf Of Rong-Tai
Liu
Sent: Thursday, September 11, 2003 12:43 PM
To: snort-devel at lists.sourceforge.net
Subject: [Snort-devel] How does the pattern matching engine do with
multi-content signatures?
 
Hello,
 
I'm studying the pattern-matching algorithms of Snort.
 
Snort 2.0 change the default search engine to multi-pattern matching
algorithm such like Wu's and Aho-Corasick.
so How do they do with the multi-content signatures? 
 
For exmaple, if a signature contains 4 content strings, will these four
string be inserted into the search engine in the same time during
signature insertion? 
(And a signature is matched only if all of these 4 matched)
Or they only insert the longest one into the table, and if it's matched
then try to use BM or something to search for the rest three?
 
Thanks,
Terry.
 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030915/b80d0ff2/attachment.html>


More information about the Snort-devel mailing list