[Snort-users] Snort searching algorithm

Y M snort at ...15979...
Tue May 13 00:43:05 EDT 2014

P.S.: Please reply to the entire list so everyone can benefit/participate, and not only to the person who replied to your request.
If I am understanding your request right, then there are several preprocessors through which the packet stream passes through before it hits the detection engine (I guess?, logically speaking). For example, packet decoders and the reputation preprocessor get to process packets before the detection engine. However, these preprocessors also have rules (text or SO rules) and will log certain traffic anomalies (rules) or when a blacklisted IP is matched by the reputation preprocessor, respectively. My understanding is that these preprocessors will output directly to the output plugin, as opposed to "consulting" with the detection engine before the actual output is made.

Date: Mon, 12 May 2014 18:48:42 -0400
Subject: RE: [Snort-users] Snort searching algorithm
From: bontupalliv1 at ...16841...
To: snort at ...15979...

Thanks for the reply...

Is there a possibility to log the preprocessor data before it hits the detection engine..

If so what can be the code/conf changes

On May 9, 2014 4:25 PM, "Y M" <snort at ...15979...> wrote:

>From the documentation: http://manual.snort.org/node16.html#SECTION00313000000000000000. Look for "config detection: [search-method <method>]", this should help.


Date: Fri, 9 May 2014 14:32:27 -0400
From: bontupalliv1 at ...16841...
To: snort-users at lists.sourceforge.net

Subject: [Snort-users] Snort searching algorithm

Dear snort users,

Could anyone please tell me what pattern matching algorithm(s) snort use in detection engine for detecting malicious packet content against its rules content.

Is your legacy SCM system holding you back? Join Perforce May 7 to find out:
• 3 signs your SCM is hindering your productivity
• Requirements for releasing software faster
• Expert tips and advice for migrating your SCM now
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140513/8ff842db/attachment.html>

More information about the Snort-users mailing list