[Snort-devel] DFA construction in Snort

Hui Cao hcao at ...402...
Mon Sep 23 10:48:14 EDT 2013


Hi Maleeha,

Where did you hear snort make DFA on the fly? Rules are compiled
before they are evaluated. In some cases, such as SMTP boundary
checking, it will be compiled on real time, because boundary is
dynamic.

Best,
Hui.

On Sun, Sep 22, 2013 at 3:35 AM, Maleeha N <beenish.raza at ...445...> wrote:
> Hy!
>
>  I have heard that snort makes DFAs on real time. What does it mean by real
> time? Shouldn't the DFAs be built before the packets arrive? Like if we have
> a regular expression defined for some attack then its DFA should already be
> there before the packet comes. So, that when such packet arrives then the
> packet with that particular attack be identified on urgent basis.
>
> ------------------------------------------------------------------------------
> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack
> includes
> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/22/13.
> http://pubads.g.doubleclick.net/gampad/clk?id=64545871&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-devel mailing list