[Snort-devel] regarding pattern matching

Steven Sturges steve.sturges at ...402...
Thu Jul 17 09:35:36 EDT 2008


Hi Govind--

What version of Snort are you looking at?  Snort 2.8.2 has some
significant changes to how a matching end-state is processed
that address the exact question you raise.

The rules must be evaluated during processing of the packet,
and cannot easily be done offline.

Cheers
-steve

Govind wrote:
> Greetings all,
> 
> I am  studying the performance of the pattern-matching module in snort.
> In particular, I am studying the performance of the Aho-Corasick
> automaton based search.
> 
> 
> I would like to know if in case of a pattern-match do actions
> corresponding to rules need to be done at wire-speeds. The traversal of
> the Aho-Corasick automaton needs to be done at the incoming line-rate.
> But do the actions that correspond to each node - an alert or a packet
> log-also need to be done at wire-speeds.
> 
> 
> The reason I am asking is because I have noticed that there are nodes
> with  multiple matches. These multiple matches are stored as linked
> list. I also observe that this can have a performance impact.
> Can these actions be done offline and not at the line-rate?
> 
> 
> 
> Regards
> Govind
> 
> 




More information about the Snort-devel mailing list