Snort mailing list archives
Re: Pattern matching
From: Tanjim Dipon via Snort-users <snort-users () lists snort org>
Date: Thu, 11 Jul 2019 23:34:29 +0600
Thanks for your reply. But I have another query, for string or pattern matchingwe have more efficient algorithms like Rabin Karp algorith. Can we apply that algorithmon snort to make snort more efficien? On Sat, 6 Jul 2019, 18:34 Russ Combs (rucombs), <rucombs () cisco com> wrote:
Snort 2 uses Boyer-Moore for content literal searches during signature evaluation. There is also a PCRE option for that. A “fast pattern” step precedes that which uses one of several multi-pattern search engines (MPSEs) to search for multiple contents literals in parallel. Some preprocessors / inspectors also do parallel searches. In addition, Snort 3 can use Hyperscan for a regex fast pattern search as well as with a regex rule option and we are planning to use that instead of Boyer-Moore for repeated content searches. Searching is typically a large part of the work Snort does and we are always looking to improve how it is done. You should experiment with Snort 3 if you are curious about the current implementation or thinking about experimentation. Snort 3 in particular makes it easy to add an MPSE as a plugin. https://github.com/snort3 Cheers Russ From: Snort-users <snort-users-bounces () lists snort org> on behalf of "Md. Nazrul Islam Ridoy via Snort-users" <Snort-users () lists snort org> Reply-To: "Md. Nazrul Islam Ridoy" <nazrul15-5503 () diu edu bd> Date: Saturday, July 6, 2019 at 12:28 AM To: Tanjim Dipon <tanjim.dipon () gmail com> Cc: "Snort-users () lists snort org" <Snort-users () lists snort org> Subject: Re: [Snort-users] Pattern matching Hi Tanjim, After a lot of research I have found that Snort used boyer moore pattern matching algorithm. You may found more interesting here: https://en.wikipedia.org/wiki/Boyer–Moore_string-search_algorithm On Mon, Jul 1, 2019 at 10:26 PM Tanjim Dipon via Snort-users < snort-users () lists snort org> wrote:Hi, I wanted to know which pattern matching algorithmis used in snort and if there is any scope of improving the performance of the algorithm currently in use Thanks _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette-- Thank you Nazrul
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Pattern matching Tanjim Dipon via Snort-users (Jul 01)
- Re: Pattern matching Md. Nazrul Islam Ridoy via Snort-users (Jul 05)
- Re: Pattern matching Russ Combs (rucombs) via Snort-users (Jul 06)
- Re: Pattern matching Tanjim Dipon via Snort-users (Jul 11)
- Re: Pattern matching Russ Combs (rucombs) via Snort-users (Jul 11)
- Re: Pattern matching Russ Combs (rucombs) via Snort-users (Jul 06)
- Re: Pattern matching Md. Nazrul Islam Ridoy via Snort-users (Jul 05)