IDS mailing list archives
Re: snort & regular expressions
From: Martin Roesch <roesch () sourcefire com>
Date: Wed, 25 Jan 2006 14:56:40 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Sevil,We use a two-stage process in the Snort detection engine these days. In it's standard configuration all the rules that are loaded in at runtime have their longest pattern matching option (content/ uricontent) loaded into a fast set-wise pattern matching engine. (Set-wise pattern matchers match all patterns in the set simultaneously.) Once the engine is up and running, traffic is run thru the set-wise pattern matcher to pre-qualify rules that *may* fire. These rules are chained together and tested after the prequalification stage, greatly reducing the number of rules that have to be analyzed for any given data set. For the sake of building the prequalification set-wise matching data, the PCRE rule options are ignored and only tested when the full rules themselves are tested after prequalification.
There are three basic pattern matching algorithms that we use in Snort today, Wu-Manber, Aho-Corasick and Boyer-Moore. PCRE uses its own DFA/NFA mechanisms behind the scenes.
Hope that helps!
-Marty
On Jan 25, 2006, at 2:01 PM, Sevil SEN wrote:
Hello,I know that Snort uses efficient multiple-string algorithms. If the set of strings contain regular expressions, which algorithm is used in Snort?thanks.. _________________________________________________________________Her yönüyle sohbetin tadi ancak Messenger ile çikar! http:// messenger.msn.com/?mkt=tr&DI=3490&XAPID=2584---------------------------------------------------------------------- --Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus- ids_040708 to learn more. ---------------------------------------------------------------------- --
- -- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFD19f4qj0FAQQ3KOARAjXLAJwN6EG7KIrdwSSoQdoD+ndBbMvpVQCfSKx0 tW43zCOMY/dPWmMLfhWPkzY= =YFtm -----END PGP SIGNATURE----- ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- snort & regular expressions Sevil SEN (Jan 25)
- Re: snort & regular expressions Martin Roesch (Jan 26)
- Re: snort & regular expressions Sevil SEN (Jan 27)
- Re: snort & regular expressions Martin Roesch (Jan 27)
- Re: snort & regular expressions Sevil SEN (Jan 27)
- Re: snort & regular expressions Martin Roesch (Jan 26)