Snort mailing list archives
Re: Wu-Manber, Aho-Corasick, Boyer Moore.
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 10 Jun 2004 13:20:08 -0400
At 05:50 AM 6/10/2004, kinek wrote:
Hey all,is it possible to select one of the multi-pattern-search-algorithms sophisticated for one Protokol? So that for example the ICMP Packets are performed by Qu-Manber and UDP Packets by Aho-Corasick.Are there other possibilities to differentiate the use of these algorithms?How can i select one specific multi-pattern-search-algorithms? (even if it is not possible to differentiate the use of it)
It's not documented in the snort.conf file yet, but from the 2.1.2 source code of fpcreate.c:
Search method is set using "config detect: search-method ac | mwm | auto" Where ac is Aho-Chorasick, and mwm is Modified Wu-Manber.It also seems to support "lowmem" which appears to end up using the Boyer Moore algorithm from looking at mpse.c (MPSE_LOWMEM results in the same behavior as MPSE_KTBM)
However, it doesn't appear that you can select which one on a per-protocol basis.
------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the
one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Wu-Manber, Aho-Corasick, Boyer Moore. kinek (Jun 10)
- Re: Wu-Manber, Aho-Corasick, Boyer Moore. Matt Kettler (Jun 11)