Re: snort & regular expressions

Martin Roesch Fri, 27 Jan 2006 16:22:45 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It isn't inefficient if the prequalification step does its job welland narrows down the set of testable rules to a small subset of thetotal ruleset. That's what the set-wise pattern matchers are for,they cull down the entire rule set for any given data buffer to onlythe rules that can potentially fire, then those rules are testedsequentially. If that turns out to be 1500 rules that all have PCREoptions in them we've got a problem, but typically that doesn'thappen. :)


     -Marty

On Jan 27, 2006, at 11:52 AM, Sevil SEN wrote:

Thank you Marty.
As I understand, snort uses aho-corasick, wu-manber or boyer-mooremulti-pattern matching algorithms for literal strings(content/uri-content options). And it uses pcre library for regular expressions.As I see, it doesn't match all regular expressions simultaneously.It matchs the regular expressions using pcre_exec function one byone. If we have too many rules that contain regular expressions(pcre option), isn't it inefficient?
From: Martin Roesch <[EMAIL PROTECTED]>
To: Sevil SEN <[EMAIL PROTECTED]>
CC: [email protected]
Subject: Re: snort & regular expressions
Date: Wed, 25 Jan 2006 14:56:40 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Sevil,
We use a two-stage process in the Snort detection engine thesedays. In it's standard configuration all the rules that areloaded in at runtime have their longest pattern matching option(content/ uricontent) loaded into a fast set-wise pattern matchingengine. (Set-wise pattern matchers match all patterns in theset simultaneously.) Once the engine is up and running, trafficis run thru the set-wise pattern matcher to pre-qualify rulesthat *may* fire. These rules are chained together and testedafter the prequalification stage, greatly reducing the number ofrules that have to be analyzed for any given data set. For thesake of building the prequalification set-wise matching data, thePCRE rule options are ignored and only tested when the full rulesthemselves are tested after prequalification.
There are three basic pattern matching algorithms that we use inSnort today, Wu-Manber, Aho-Corasick and Boyer-Moore. PCRE usesits own DFA/NFA mechanisms behind the scenes.
Hope that helps!

     -Marty

On Jan 25, 2006, at 2:01 PM, Sevil SEN wrote:
Hello,
I know that Snort uses efficient multiple-string algorithms. Ifthe set of strings contain regular expressions, which algorithmis used in Snort?
thanks..

_________________________________________________________________
Her yönüyle sohbetin tadi ancak Messenger ile çikar! http://messenger.msn.com/?mkt=tr&DI=3490&XAPID=2584
---------------------------------------------------------------------- --
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-worldattacks from CORE IMPACT.Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.---------------------------------------------------------------------- --
- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFD19f4qj0FAQQ3KOARAjXLAJwN6EG7KIrdwSSoQdoD+ndBbMvpVQCfSKx0
tW43zCOMY/dPWmMLfhWPkzY=
=YFtm
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
_________________________________________________________________
Her yönüyle sohbetin tadi ancak Messenger ile çikar! http://messenger.msn.com/?mkt=tr&DI=3490&XAPID=2584


- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFD2luzqj0FAQQ3KOARAqUiAJ4jKhkOmyy7p6QJ+c7ZE5t7zDZYAwCfaJ13
d+gvlVtPTgs42ikTOm5hc7A=
=gv9z
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Re: snort & regular expressions

Reply via email to