[Snort-users] How does the pattern matching engine do with multi-content signatures?

Rong-Tai Liu tie at ...10073...
Mon Sep 15 08:22:08 EDT 2003


I'm studying the pattern-matching algorithms of Snort.

Snort 2.0 change the default search engine to multi-pattern matching algorithm such like Wu's and Aho-Corasick.
so How do they do with the multi-content signatures? 

For exmaple, if a signature contains 4 content strings, will these four string be inserted into the search engine in the same time during signature insertion? 
(And a signature is matched only if all of these 4 matched)
Or they only insert the longest one into the table, and if it's matched then try to use BM or something to search for the rest three?

