Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: snort & regular expressions

from [Martin Roesch] Network Security [Permanent Link]
Subject: Re: snort & regular expressions
Date: Fri, 27 Jan 2006 12:43:15 -0500 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It isn't inefficient if the prequalification step does its job well and narrows down the set of testable rules to a small subset of the total ruleset. That's what the set-wise pattern matchers are for, they cull down the entire rule set for any given data buffer to only the rules that can potentially fire, then those rules are tested sequentially. If that turns out to be 1500 rules that all have PCRE options in them we've got a problem, but typically that doesn't happen. :)

     -Marty

On Jan 27, 2006, at 11:52 AM, Sevil SEN wrote:


Thank you Marty.
As I understand, snort uses aho-corasick, wu-manber or boyer-moore multi-pattern matching algorithms for literal strings(content/uri- content options). And it uses pcre library for regular expressions. As I see, it doesn't match all regular expressions simultaneously. It matchs the regular expressions using pcre_exec function one by one. If we have too many rules that contain regular expressions (pcre option), isn't it inefficient?


From: Martin Roesch <roesch@sourcefire.com>
To: Sevil SEN <sevilsen@hotmail.com>
CC: focus-ids@securityfocus.com
Subject: Re: snort & regular expressions
Date: Wed, 25 Jan 2006 14:56:40 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Sevil,

We use a two-stage process in the Snort detection engine these days. In it's standard configuration all the rules that are loaded in at runtime have their longest pattern matching option (content/ uricontent) loaded into a fast set-wise pattern matching engine. (Set-wise pattern matchers match all patterns in the set simultaneously.) Once the engine is up and running, traffic is run thru the set-wise pattern matcher to pre-qualify rules that *may* fire. These rules are chained together and tested after the prequalification stage, greatly reducing the number of rules that have to be analyzed for any given data set. For the sake of building the prequalification set-wise matching data, the PCRE rule options are ignored and only tested when the full rules themselves are tested after prequalification.

There are three basic pattern matching algorithms that we use in Snort today, Wu-Manber, Aho-Corasick and Boyer-Moore. PCRE uses its own DFA/NFA mechanisms behind the scenes.

Hope that helps!

     -Marty

On Jan 25, 2006, at 2:01 PM, Sevil SEN wrote:

Hello,
I know that Snort uses efficient multiple-string algorithms. If the set of strings contain regular expressions, which algorithm is used in Snort?
thanks..

_________________________________________________________________
Her yönüyle sohbetin tadi ancak Messenger ile çikar! http:// messenger.msn.com/?mkt=tr&DI=3490&XAPID=2584


-------------------------------------------------------------------- -- --
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus- ids_040708 to learn more.
-------------------------------------------------------------------- -- --


- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFD19f4qj0FAQQ3KOARAjXLAJwN6EG7KIrdwSSoQdoD+ndBbMvpVQCfSKx0
tW43zCOMY/dPWmMLfhWPkzY=
=YFtm
-----END PGP SIGNATURE-----

--------------------------------------------------------------------- ---
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus- ids_040708
to learn more.
--------------------------------------------------------------------- ---


_________________________________________________________________
Her yönüyle sohbetin tadi ancak Messenger ile çikar! http:// messenger.msn.com/?mkt=tr&DI=3490&XAPID=2584


- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFD2luzqj0FAQQ3KOARAqUiAJ4jKhkOmyy7p6QJ+c7ZE5t7zDZYAwCfaJ13
d+gvlVtPTgs42ikTOm5hc7A=
=gv9z
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------


[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: snort & regular expressions, Sevil SEN
Next by Date:  Real world experience with HIDS, Paul Schmehl
Previous by Thread:  Re: snort & regular expressions, Sevil SEN
Next by Thread:  Type of Attack Vector, jono29
Indexes:  [Date] [Thread] [Top] [All Lists]