[Snort-users] How does the pattern matching engine do with multi-content signatures?
tie at ...10073...
Mon Sep 15 08:22:08 EDT 2003
I'm studying the pattern-matching algorithms of Snort.
Snort 2.0 change the default search engine to multi-pattern matching algorithm such like Wu's and Aho-Corasick.
so How do they do with the multi-content signatures?
For exmaple, if a signature contains 4 content strings, will these four string be inserted into the search engine in the same time during signature insertion?
(And a signature is matched only if all of these 4 matched)
Or they only insert the longest one into the table, and if it's matched then try to use BM or something to search for the rest three?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users