[Snort-users] Change detection engine in Snort

wkitty42 at windstream.net wkitty42 at windstream.net
Mon Nov 6 09:15:02 EST 2017


On 11/06/2017 01:26 AM, mohammed albasha via Snort-users wrote:
> Hi everyone
> 
> I want to ask one question about detection engine,
> 
> My question is : How can I change the detection method engine in snort ( the 
> default is AC algorithm) toWu-manber algorithm?

from an old post back in 2014...

[quote]
2014-03-13 10:57 GMT-03:00 Bhagya Bantwal (bbantwal) <bbantwal () cisco com>:

Hello Anacleto Júnior,

The detection method with the snort.conf we ship is ac-split. The
default in the code is ac-bnfa. Both detection methods are low on memory
and high on performance.

The optimal detection method depends on the rule set you have.

Thank you!
Bhagya
[/quote]


with that said, you need to look at your snort.conf file, Step #3, and study 
README.decode as well as the snort manual... specifically section 2.1.3.1...


[quote]
###################################################
# Step #3: Configure the base detection engine.  For more information, see 
README.decode
###################################################

[...]

# Configure the detection engine  See the Snort Manual, Configuring Snort - 
Includes - Config
config detection: search-method ac-split search-optimize max-pattern-len 20
[/quote]


if that doesn't help you then you'll likely have to break out your code editor 
and compiler to create such an algorithm... i don't recognize the one you 
wrote... at least not in the context of snort...



-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list unless*
        *a signed and pre-paid contract is in effect with us.*



More information about the Snort-users mailing list