[Snort-devel] regarding pattern matching

Govind govind at ...2982...
Thu Jul 17 09:34:40 EDT 2008


Greetings all,

I am  studying the performance of the pattern-matching module in snort.
In particular, I am studying the performance of the Aho-Corasick
automaton based search.


I would like to know if in case of a pattern-match do actions
corresponding to rules need to be done at wire-speeds. The traversal of
the Aho-Corasick automaton needs to be done at the incoming line-rate.
But do the actions that correspond to each node - an alert or a packet
log-also need to be done at wire-speeds.


The reason I am asking is because I have noticed that there are nodes
with  multiple matches. These multiple matches are stored as linked
list. I also observe that this can have a performance impact.
Can these actions be done offline and not at the line-rate?



Regards
Govind


-- 
-----------------------------------------------------------------------

Govind S
Graduate student
Departament d'Arquitectura de Computadors      E-mail:govind at ...2982...
Universitat Politecnica de Catalunya           Phone:   +34 93 4054097
c/ Jordi Girona 1-3, Edifici D6                
08034-Barcelona (Spain)

-----------------------------------------------------------------------





More information about the Snort-devel mailing list