Snort mailing list archives
Multi Pattern Search Engine Plugin
From: Vlad Ulmeanu via Snort-devel <snort-devel () lists snort org>
Date: Sun, 10 Mar 2024 10:57:13 +0200
Hi all, I'm trying to plug in my Multi Pattern Search Engine <https://github.com/vlad-ulmeanu01/ExpoSizeStringSearch> into snort3 and run some benchmarks. I have run into some problems <https://stackoverflow.com/questions/78121441/snort3-where-is-the-default-implementation-for-mpsematch> with the setup: tried to rewrite the lowmem <https://github.com/snort3/snort3_extra/tree/master/src/search_engines/lowmem> example in snort3_extra <https://github.com/snort3/snort3_extra>, but there is a side effect occurring in lowmem's _search <https://github.com/snort3/snort3_extra/blob/b81e2e4f9296d9ae724e8d1b409371a3715fc2cc/src/search_engines/lowmem/lowmem.cc#L65C9-L65C16> function (that triggers another "allow <https://github.com/snort3/snort3_demo/blob/3fdada8224f8ec5ecea4649fdad144edec7a9c9e/tests/search_engines/ac_bnfa/expected#L2>" in the snort3_demo <https://github.com/snort3/snort3_demo/tree/master/tests/search_engines/ac_bnfa> example <https://github.com/snort3/snort3_demo/tree/master/tests/search_engines/ac_bnfa>) when calling match <https://github.com/snort3/snort3_extra/blob/b81e2e4f9296d9ae724e8d1b409371a3715fc2cc/src/search_engines/lowmem/sfksearch.cc#L579> (MpseMatch <https://github.com/snort3/snort3/blob/be0977a3a8a98632e5cd1238c1d0da6dc2693b5f/src/search_engines/search_common.h#L39> -> rule_tree_queue <https://github.com/snort3/snort3/blob/be0977a3a8a98632e5cd1238c1d0da6dc2693b5f/src/detection/fp_detect.cc#L865> (I suppose this is the default implementation of MpseMatch that lowmem ends up using) -> MpseStash::push <https://github.com/snort3/snort3/blob/be0977a3a8a98632e5cd1238c1d0da6dc2693b5f/src/detection/fp_detect.cc#L773> -> MpseStash::process <https://github.com/snort3/snort3/blob/be0977a3a8a98632e5cd1238c1d0da6dc2693b5f/src/detection/fp_detect.cc#L832> -> rule_tree_match <https://github.com/snort3/snort3/blob/be0977a3a8a98632e5cd1238c1d0da6dc2693b5f/src/detection/fp_detect.cc#L375>). Unfortunately, things get quite complicated, and I couldn't pinpoint the reason for the side effect. How can I deal with this side effect? I assume that I should call match with a non-nullptr argument for tree, but I don't really understand its meaning. Also, where can I find a good documentation source for snort3_extra? The best I could find is this <https://fossies.org/dox/snort3_extra-3.1.78.0/classLowmemMpse.html>. Thank you, Vlad Ulmeanu
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Multi Pattern Search Engine Plugin Vlad Ulmeanu via Snort-devel (Mar 11)
- Re: Multi Pattern Search Engine Plugin Russ Combs (rucombs) via Snort-devel (Mar 14)
- Re: Multi Pattern Search Engine Plugin Vlad Ulmeanu via Snort-devel (Mar 18)
- Re: Multi Pattern Search Engine Plugin Russ Combs (rucombs) via Snort-devel (Mar 14)