Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Development » multiple-string matching and regular expressions

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

multiple-string matching and regular expressions


Posted by luseng on January 22, 2006 00:49:43

hello,
as i understand, snort use multiple-string matching algorithms like aho-corasick and wu-manber. and it uses pcre for the regular expressions.
if we have a rule set contains both literal strings and regular expressions, is it possible to process all these rules in one pass. if it is, how? which algorithm is used for this problem in snort?
thank you :)

Posted by MaityS on February 22, 2006 21:29:45

all the keywords of the rules are converted into bytes before any string matching algorthm is applied. So it doesn't matter whether the rule set is a string or an expression or combination of both.

Posted by maron on March 14, 2006 04:16:50

is there any plans to add wild card matching to aho-corasick or wu-manber? this would be much faster than regular expressions where appropriate. here's an example of where it's been done before http://www.am-utils.org/docs/avfs-security04/
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.