[Snort-devel] How does the pattern matching engine do with multi-content signatures?
marc.norton at ...402...
Mon Sep 15 06:31:07 EDT 2003
The 2.0 detection engine selects one of the contents (the longest, for
now) and tests against it. If it is found, than the whole rule is
evaluated against the packet with a detailed inspection, which is an
enhanced version of what was present previous to 2.0. The detailed rule
inspection will validate all of the contents, and any other rule
options. The muli-pattern matching phase is just the higher speed rule
From: snort-devel-admin at lists.sourceforge.net
[mailto:snort-devel-admin at lists.sourceforge.net] On Behalf Of Rong-Tai
Sent: Thursday, September 11, 2003 12:43 PM
To: snort-devel at lists.sourceforge.net
Subject: [Snort-devel] How does the pattern matching engine do with
I'm studying the pattern-matching algorithms of Snort.
Snort 2.0 change the default search engine to multi-pattern matching
algorithm such like Wu's and Aho-Corasick.
so How do they do with the multi-content signatures?
For exmaple, if a signature contains 4 content strings, will these four
string be inserted into the search engine in the same time during
(And a signature is matched only if all of these 4 matched)
Or they only insert the longest one into the table, and if it's matched
then try to use BM or something to search for the rest three?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel