Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Multi-Pattern Matching Engine in Snort

From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Fri, 3 Jul 2015 13:29:00 +0000
Hello,

A good place to start may be with creating a custom preprocessor  http://manual.snort.org/node40.html

Also.... Snort++ has been designed to make this sort of thing easier to implement. You may want to take a look at it as 
well.

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: Siti Farhana Binti Lokman [mailto:sitifarhana.lokman () postgrad manchester ac uk]
Sent: Friday, July 03, 2015 9:13 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Multi-Pattern Matching Engine in Snort



Hi,

Currently I'm doing a comparative study on analysing performance of multi-pattern matching engine in Snort.

Based on my findings of inner working in Snort so far, it has included more pattern matching algorithms as 
configuration options of the signature matching engine like AC-FULL, MWM, LOW_MEM, etc.
But, if I want to do some modifications or additions (compare other pattern matching algorithms with existing 
unmodified algorithms in Snort), so how can I compile the source code and test the performance?
I'm planning to measure the performance of memory usage vs. speed of a new search method using the latest ruleset in 
Snort "snortrules-snapshot-2962.tar.gz<https://snort.org/downloads/registered/snortrules-snapshot-2962.tar.gz>" with 
some precaptured PCAP files.

Right now I'm having difficulties finding resources in technical part especially on how to compile and run the code.
I read some papers the source code files involve is: fpcreate.c, mpse.c, mpse.h and new C files of a new algorithms.

But can you suggest me if there's any technical documentations or step by step on how to accomplish this?

I'm really sorry as I'm really new in this area and still learning. Any suggestions and advice is much appreciated.

Thank you in advance.

Best regards,
Farhana




------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: