[Snort-devel] regarding pattern matching
steve.sturges at ...402...
Thu Jul 17 09:49:57 EDT 2008
Please have a look at the 220.127.116.11 version. 2.6.1 is
well over a year old and significant performance improvements
have been made in the newer versions.
> I am using Snort-18.104.22.168 version.
> The file I am referring to is the acsmx.c in src/sfutil and the function
> is acsmSearch() in it.
> On Thu, 2008-07-17 at 09:35 -0400, Steven Sturges wrote:
>> Hi Govind--
>> What version of Snort are you looking at? Snort 2.8.2 has some
>> significant changes to how a matching end-state is processed
>> that address the exact question you raise.
>> The rules must be evaluated during processing of the packet,
>> and cannot easily be done offline.
>> Govind wrote:
>>> Greetings all,
>>> I am studying the performance of the pattern-matching module in snort.
>>> In particular, I am studying the performance of the Aho-Corasick
>>> automaton based search.
>>> I would like to know if in case of a pattern-match do actions
>>> corresponding to rules need to be done at wire-speeds. The traversal of
>>> the Aho-Corasick automaton needs to be done at the incoming line-rate.
>>> But do the actions that correspond to each node - an alert or a packet
>>> log-also need to be done at wire-speeds.
>>> The reason I am asking is because I have noticed that there are nodes
>>> with multiple matches. These multiple matches are stored as linked
>>> list. I also observe that this can have a performance impact.
>>> Can these actions be done offline and not at the line-rate?
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
More information about the Snort-devel