[Snort-devel] regarding pattern matching

Govind govind at ...2982...
Thu Jul 17 09:48:14 EDT 2008


Hi,

I am using Snort-2.6.1.3 version.

The file I am referring to is the acsmx.c in src/sfutil and the function
is acsmSearch() in it.


Regards
Govind

On Thu, 2008-07-17 at 09:35 -0400, Steven Sturges wrote:
> Hi Govind--
> 
> What version of Snort are you looking at?  Snort 2.8.2 has some
> significant changes to how a matching end-state is processed
> that address the exact question you raise.
> 
> The rules must be evaluated during processing of the packet,
> and cannot easily be done offline.
> 
> Cheers
> -steve
> 
> Govind wrote:
> > Greetings all,
> > 
> > I am  studying the performance of the pattern-matching module in snort.
> > In particular, I am studying the performance of the Aho-Corasick
> > automaton based search.
> > 
> > 
> > I would like to know if in case of a pattern-match do actions
> > corresponding to rules need to be done at wire-speeds. The traversal of
> > the Aho-Corasick automaton needs to be done at the incoming line-rate.
> > But do the actions that correspond to each node - an alert or a packet
> > log-also need to be done at wire-speeds.
> > 
> > 
> > The reason I am asking is because I have noticed that there are nodes
> > with  multiple matches. These multiple matches are stored as linked
> > list. I also observe that this can have a performance impact.
> > Can these actions be done offline and not at the line-rate?
> > 
> > 
> > 
> > Regards
> > Govind
> > 
> > 





More information about the Snort-devel mailing list