[Snort-users] What are the possible search-method directives?

JP Vossen vossenjp at ...8683...
Sun May 4 22:13:07 EDT 2003


Anyone know what the different "config detection: search-method"s are?

The only one I could find documented (sort of) is lowmem.  The other options
seem to be: ac and mwm, but there is no indication what they are or which is
the default if you don't specify. Searching the FAQ, Snort manual, SourceFire
White paper PDFs, the archives and Google all failed (thought I didn't spend a
large amount of time on it).

Even the code seems confused:
	snort-2.0.0/src/parser.c:

	if( !strcasecmp(args[i],"search-method") )
	[...]
                   FatalError("%s (%d)=> Invalid argument to 'search-method'"
                              ".  Must be either 'mwm' or 'ac'.\n",
                              file_name, file_line);
No mention of lowmem...


	snort-2.0.0/src/mpse.h

	/*
	*  Pattern Matching Methods
	*/
	#define MPSE_MWM      1
	#define MPSE_AC       2
	#define MPSE_KTBM     3
	#define MPSE_LOWMEM   4
	#define MPSE_AUTO     5

There are case statements for all 5 in mpse.c, yet auto is not an allowable
option in the Snort.conf...  'Course, I really don't know squat about c code,
so...


TIA,
JP
------------------------------|:::======|--------------------------------
JP Vossen, CISSP              |:::======|                jp at ...8684...
My Account, My Opinions       |=========|       http://www.jpsdomain.org/
------------------------------|=========|--------------------------------
"The software said it requires Windows 98 or better, so I installed
Linux..."





More information about the Snort-users mailing list