Snort mailing list archives
Re: [SUSPECTED SPAM] Snort rules time complexity
From: Alex McDonnell <amcdonnell () sourcefire com>
Date: Fri, 1 Mar 2019 14:50:15 -0500
Snort's pattern matching engine is based on Aho-Corasick ( https://en.wikipedia.org/wiki/Aho%E2%80%93Corasick_algorithm) There was a paper (at least one) written on it's use in Snort that you can read here: ( https://snort-org-site.s3.amazonaws.com/production/document_files/files/000/000/085/original/OptimizingPathernMatchingForIDS.pdf ) Does that help? Alex McDonnell Cisco TaLoS On Fri, Mar 1, 2019 at 2:01 PM Carl Nykvist via Snort-sigs < snort-sigs () lists snort org> wrote:
Hi! When Snort looks at traffic, it filters maybe on IP address to see if any rules match the traffic. But it can't go through each rule and it needs to do this process quickly, otherwise it would take very long and the complexity would be O(n). So I wonder what Snort is using to filter and search for which rules match the traffic in as fast way as possible. Den fre 1 mars 2019 kl 16:32 skrev Joel Esler (jesler) <jesler () cisco com>:How Snort handles "time complexity" What do you mean?On Mar 1, 2019, at 5:10 AM, Carl Nykvist via Snort-sigs <snort-sigs () lists snort org> wrote:Hi! Anyone here knows how snort handles time complexity to search andfilter for specific rules quickly?_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules:https://snort.org/faq/what-is-the-mailing-list-etiquetteVisit the Snort.org to subscribe to the official Snort ruleset, makesure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>! _______________________________________________Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Snort rules time complexity Carl Nykvist via Snort-sigs (Mar 01)
- Re: [SUSPECTED SPAM] Snort rules time complexity Joel Esler (jesler) via Snort-sigs (Mar 01)
- Re: [SUSPECTED SPAM] Snort rules time complexity Carl Nykvist via Snort-sigs (Mar 01)
- Re: [SUSPECTED SPAM] Snort rules time complexity Alex McDonnell (Mar 01)
- Re: [SUSPECTED SPAM] Snort rules time complexity Carl Nykvist via Snort-sigs (Mar 01)
- Re: [SUSPECTED SPAM] Snort rules time complexity Joel Esler (jesler) via Snort-sigs (Mar 01)