Snort mailing list archives
Re: Pattern matching
From: "Russ Combs \(rucombs\) via Snort-users" <snort-users () lists snort org>
Date: Sat, 6 Jul 2019 12:34:24 +0000
Snort 2 uses Boyer-Moore for content literal searches during signature evaluation. There is also a PCRE option for that. A “fast pattern” step precedes that which uses one of several multi-pattern search engines (MPSEs) to search for multiple contents literals in parallel. Some preprocessors / inspectors also do parallel searches. In addition, Snort 3 can use Hyperscan for a regex fast pattern search as well as with a regex rule option and we are planning to use that instead of Boyer-Moore for repeated content searches. Searching is typically a large part of the work Snort does and we are always looking to improve how it is done. You should experiment with Snort 3 if you are curious about the current implementation or thinking about experimentation. Snort 3 in particular makes it easy to add an MPSE as a plugin. https://github.com/snort3 Cheers Russ From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users-bounces () lists snort org>> on behalf of "Md. Nazrul Islam Ridoy via Snort-users" <Snort-users () lists snort org<mailto:Snort-users () lists snort org>> Reply-To: "Md. Nazrul Islam Ridoy" <nazrul15-5503 () diu edu bd<mailto:nazrul15-5503 () diu edu bd>> Date: Saturday, July 6, 2019 at 12:28 AM To: Tanjim Dipon <tanjim.dipon () gmail com<mailto:tanjim.dipon () gmail com>> Cc: "Snort-users () lists snort org<mailto:Snort-users () lists snort org>" <Snort-users () lists snort org<mailto:Snort-users () lists snort org>> Subject: Re: [Snort-users] Pattern matching Hi Tanjim, After a lot of research I have found that Snort used boyer moore pattern matching algorithm. You may found more interesting here: https://en.wikipedia.org/wiki/Boyer–Moore_string-search_algorithm<https://en.wikipedia.org/wiki/Boyer%E2%80%93Moore_string-search_algorithm> On Mon, Jul 1, 2019 at 10:26 PM Tanjim Dipon via Snort-users <snort-users () lists snort org<mailto:snort-users () lists snort org>> wrote: Hi, I wanted to know which pattern matching algorithmis used in snort and if there is any scope of improving the performance of the algorithm currently in use Thanks _______________________________________________ Snort-users mailing list Snort-users () lists snort org<mailto:Snort-users () lists snort org> Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org<mailto:snort-users-leave () lists snort org> Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette -- Thank you Nazrul
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Pattern matching Tanjim Dipon via Snort-users (Jul 01)
- Re: Pattern matching Md. Nazrul Islam Ridoy via Snort-users (Jul 05)
- Re: Pattern matching Russ Combs (rucombs) via Snort-users (Jul 06)
- Re: Pattern matching Tanjim Dipon via Snort-users (Jul 11)
- Re: Pattern matching Russ Combs (rucombs) via Snort-users (Jul 11)
- Re: Pattern matching Russ Combs (rucombs) via Snort-users (Jul 06)
- Re: Pattern matching Md. Nazrul Islam Ridoy via Snort-users (Jul 05)