[Snort-devel] Snort Pattern Search Algorithms

Frank Meerkoetter frank at ...2444...
Wed Apr 7 10:16:02 EDT 2004


On Tue, Apr 06, 2004 at 10:35:25AM -0400, Marc Norton wrote:
Hello,

> Snort uses a variant of the Wu-Manber algorithm, and a straight forward
> implementation of the Aho-Corasick state machine.  These perform the
> high speed multi-pattern matching in Snort.  You need to find the links
> on the snort.org web site to the papers that describe the detection
> engine as a whole in order to understand how the whole thing is tied
> together.  You'll also need to read a fair amount of source code, since
> much of snort is not documented outside of the source code.  Good luck. 

while we're at it. I've got the following question concerning the
implementation of the wu-manber multi-pattern matcher.

As far as i could see "normal" traffic is searched using the function
mwmSearchExBC which implements a one character shifttable/two character
hashtable wu-manber search.

The function mwmSearchExBW which implements the two character shifttable
version is only used when explicitly asked for (by calling
mwmLargeShifts aka. mpseLargeShifts). Which is only done for searching
URI-Content.

What's the reason behind this? Why isn't mwmSearchExBW suitable for
all traffic?
Shouldn't it perform better than mwwSearchExBC? Why not? 
I thought a shifttable which is accessed by a block of characters would 
perform better than a shifttable accessed by a single character.

TIA Frank Meerkoetter
-- 
mixed emotions:
	Watching a bus-load of lawyers plunge off a cliff.
	With five empty seats.




More information about the Snort-devel mailing list