Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Snort Development » Difference between Aho-Corasick Full, Sparse, Banded and SparseBanded implementations?

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

Difference between Aho-Corasick Full, Sparse, Banded and SparseBanded implementations?


Posted by MaityS on February 22, 2006 21:37:36

Hello:
I was running snort with AC algo with its full, sparse, banded.. modes and notice the fact that memory usage decreases as I go from Full -> Banded -> Sparse Banded -> Banded where as no of state transitions alwys remains the same. Its always beter to have something which uses less memory but what do we sacrifice for the lowest memory implementaion, I am not able to understand that. Can any one help me?

Thanks!

Posted by xiaolihan on May 08, 2006 22:38:34

Hello:
I'm sorry that i can't reply your question,however.i want to ask you a question: are there some string match algorithms in snort?may i choose one of them to do a experiment?how to do it?

thank you!

regards
snort beginner

Posted by MaityS on May 08, 2006 23:08:10

hi xiao,
you can do so by editing the search method in snort.conf file.(config detection: search-method ac). ac:Default Aho-Corasick; acs:AC Sparse; mwm:Modified Wu-Manber; lowmem:Low Memory Trie ... and so on.
regards.

Posted by Julia on May 23, 2006 19:43:34

hi:
please tell me your email,ok? i want to ask you some questions.

thanks
regards
xiaohan016@gmail.com

Posted by MaityS on May 23, 2006 20:14:01

u can post q's in this forum. n might ve better answers than I could.

Posted by Julia on May 23, 2006 23:39:08

ok. Now I want to do a experiment about the performance testing of some string match algorithms(BM;AC) in snort.but I only found the code of BM in mstring.c, not others,why?

So first i need to read some data in harddisk ,in which mode snort could do this job?
second,i need to write a new rules in snort, i don't know how to add a new rules to snort and use it to detect special traffic, please help me ,thanks!

best regards

Posted by MaityS on May 23, 2006 23:53:43

They are at src/sfutil(acsmx.c, acsmx2.c, mwm.c, sfksearch.c etc...) appropriate class will be chosen through methods implemented in mpse.c file using configuration from snort.conf file.

u can do that in the default daemon mode(hard disk..)

Please read chap 3 of snort_manual.pdf to write your rules and include the file destination in snort.conf.

ragards.



Posted by Julia on May 25, 2006 23:56:27

thank you for the details answer. i have some questions now:
first:i don't know how to make snort in default daemon mode;
second:in snort,how to open .cap files ?
third:after i write"snort -d -h * /* -c snort.conf",there is a errors:Unable to open rules files: ../rules/local.rules or ./../rules/local/rules, why? i don't know if in the directory of which snort.conf locates snort.conf can be used in command? because when not in the directory of snort.conf,if write the command contains snort.conf,there will a error same as aboved error.

best regards

Posted by Julia on May 28, 2006 19:25:22

hi:

I know the first question by your hint,please help the last two,thanks.

best regards

Posted by MaityS on May 28, 2006 19:40:19

second: I have never used the .cap files directly. So I don't know. I will let you know I know the answer.
third: I hope you understand snort needs rules file to run. You can either purchase one or you can download sample rules files from snort.org. Once you have rules file change the path of rules (RULE_PATH in snort.conf) as appropriate for you. Always give the full path not rlative one to your current directory. See what are the rules files(extension .rules) you have in your rules dirctory and according comment/uncomment the rules mentioned in snort.conf. You will find a list of all rules files which normally comes with rules commercial distribution.
as default configuration of snort, to run snort, just type "snort" from the etc directory


regards,
Sourav

Posted by Julia on May 29, 2006 23:27:54

first,thank your detailed explanation!

but i'm sorry i have a question:i can't understand how to make a rule effect for the fixed dada.for example:log udp any any -> 192.168.1.0/24 1:1024 log udp.

please help!

regards

Posted by Joel_Esler on July 06, 2006 18:40:42

I've read this thread, and I just understand the question. I am willing to help if you can explain
what you are attempting to do.
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.