Re: snort & regular expressions

Thank you Marty.
As I understand, snort uses aho-corasick, wu-manber or boyer-moore 
multi-pattern matching algorithms for literal strings(content/uri-content 
options). And it uses pcre library for regular expressions. As I see, it 
doesn't match all regular expressions simultaneously. It matchs the regular 
expressions using pcre_exec function one by one. If we have too many rules 
that contain regular expressions(pcre option), isn't it inefficient?


> From: Martin Roesch <roesch@sourcefire.com>
> To: Sevil SEN <sevilsen@hotmail.com>
> CC: focus-ids@securityfocus.com
> Subject: Re: snort & regular expressions
> Date: Wed, 25 Jan 2006 14:56:40 -0500
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Sevil,
>
> We use a two-stage process in the Snort detection engine these days.   In 
> it's standard configuration all the rules that are loaded in at  runtime 
> have their longest pattern matching option (content/ uricontent) loaded 
> into a fast set-wise pattern matching engine.   (Set-wise pattern matchers 
> match all patterns in the set  simultaneously.)  Once the engine is up and 
> running, traffic is run  thru the set-wise pattern matcher to pre-qualify 
> rules that *may*  fire.  These rules are chained together and tested after 
> the  prequalification stage, greatly reducing the number of rules that  
> have to be analyzed for any given data set.  For the sake of building  the 
> prequalification set-wise matching data, the PCRE rule options  are ignored 
> and only tested when the full rules themselves are tested  after 
> prequalification.
>
> There are three basic pattern matching algorithms that we use in  Snort 
> today, Wu-Manber, Aho-Corasick and Boyer-Moore.  PCRE uses its  own DFA/NFA 
> mechanisms behind the scenes.
>
> Hope that helps!
>
>      -Marty
>
> On Jan 25, 2006, at 2:01 PM, Sevil SEN wrote:
>
> > Hello,
> > I know that Snort uses efficient multiple-string algorithms. If the  set 
> > of strings contain regular expressions, which algorithm is used  in Snort?
> > thanks..
> >
> > _________________________________________________________________
> > Her yvn|yle sohbetin tadi ancak Messenger ile gikar! http:// 
> > messenger.msn.com/?mkt=tr&DI=3490&XAPID=2584
> >
> >
> > ---------------------------------------------------------------------- --
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks  from 
> > CORE IMPACT.
> > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus- ids_040708 
> > to learn more.
> > ---------------------------------------------------------------------- --
>
> - --
> Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
> Sourcefire - Security for the Real World - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (Darwin)
>
> iD8DBQFD19f4qj0FAQQ3KOARAjXLAJwN6EG7KIrdwSSoQdoD+ndBbMvpVQCfSKx0
> tW43zCOMY/dPWmMLfhWPkzY=
> =YFtm
> -----END PGP SIGNATURE-----
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------

_________________________________________________________________
Her yvn|yle sohbetin tadi ancak Messenger ile gikar! 
http://messenger.msn.com/?mkt=tr&DI=3490&XAPID=2584


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------