[Snort-devel] the way Snort builds pattern sets - Fast Detection engine?

ozgun erdogan kushcu at ...445...
Mon Feb 16 03:34:02 EST 2004

hi -

I'm going over Snort's code and am trying some modifications on mwm.c - the 
string matching algorithms. I have a question related to how Snort initially 
builds its pattern sets, and any replies would save me lots of "source code 
reading" time.

when I run Snort, I call mwmShowStats( ) from mwmPrepPatterns( ). It seems 
like some pattern sets are constructed multiple times, I think I kind of 
understand that, generic rules apply to IP, ICMP, TCP and UDP? However, the 
following pattern set:

Pattern Stats
Patterns   : 45
Average    : 7 chars
Smallest   : 4 chars
Largest    : 20 chars
Total chars: 318
Len[4] : 28 patterns

is initialized 20 times. What's the reason behind that? Is there a source 
code documentation that I can read which explains how Snort handles pattern 
set construction?



Tired of spam? Get advanced junk mail protection with MSN 8. 

More information about the Snort-devel mailing list