snort-devel July 2008 archive
Main Archive Page > Month Archives  > snort-devel archives
snort-devel: [Snort-devel] regarding pattern matching

[Snort-devel] regarding pattern matching

From: Govind <govind_at_nospam>
Date: Thu Jul 17 2008 - 13:34:40 GMT
To: snort-devel@lists.sourceforge.net


Greetings all,

I am studying the performance of the pattern-matching module in snort. In particular, I am studying the performance of the Aho-Corasick automaton based search.

I would like to know if in case of a pattern-match do actions corresponding to rules need to be done at wire-speeds. The traversal of the Aho-Corasick automaton needs to be done at the incoming line-rate. But do the actions that correspond to each node - an alert or a packet log-also need to be done at wire-speeds.

The reason I am asking is because I have noticed that there are nodes with multiple matches. These multiple matches are stored as linked list. I also observe that this can have a performance impact. Can these actions be done offline and not at the line-rate?

Regards
Govind --
-----------------------------------------------------------------------
Govind S Graduate student Departament d'Arquitectura de Computadors E-mail:govind@ac.upc.edu Universitat Politecnica de Catalunya Phone: +34 93 4054097 c/ Jordi Girona 1-3, Edifici D6 08034-Barcelona (Spain)
-----------------------------------------------------------------------

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Snort-devel mailing list Snort-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/snort-devel