[Snort-devel] the way Snort builds pattern sets - Fast Detection engine?
kushcu at ...445...
Mon Feb 16 03:34:02 EST 2004
I'm going over Snort's code and am trying some modifications on mwm.c - the
string matching algorithms. I have a question related to how Snort initially
builds its pattern sets, and any replies would save me lots of "source code
when I run Snort, I call mwmShowStats( ) from mwmPrepPatterns( ). It seems
like some pattern sets are constructed multiple times, I think I kind of
understand that, generic rules apply to IP, ICMP, TCP and UDP? However, the
following pattern set:
Patterns : 45
Average : 7 chars
Smallest : 4 chars
Largest : 20 chars
Total chars: 318
Len : 28 patterns
is initialized 20 times. What's the reason behind that? Is there a source
code documentation that I can read which explains how Snort handles pattern
Tired of spam? Get advanced junk mail protection with MSN 8.
More information about the Snort-devel