snort-devel July 2008 archive
Main Archive Page > Month Archives  > snort-devel archives
snort-devel: [Snort-devel] regarding pattern matching

[Snort-devel] regarding pattern matching

From: Govind <govind_at_nospam>
Date: Thu Jul 17 2008 - 13:34:40 GMT

Greetings all,

I am studying the performance of the pattern-matching module in snort. In particular, I am studying the performance of the Aho-Corasick automaton based search.

I would like to know if in case of a pattern-match do actions corresponding to rules need to be done at wire-speeds. The traversal of the Aho-Corasick automaton needs to be done at the incoming line-rate. But do the actions that correspond to each node - an alert or a packet log-also need to be done at wire-speeds.

The reason I am asking is because I have noticed that there are nodes with multiple matches. These multiple matches are stored as linked list. I also observe that this can have a performance impact. Can these actions be done offline and not at the line-rate?

Govind --
Govind S Graduate student Departament d'Arquitectura de Computadors Universitat Politecnica de Catalunya Phone: +34 93 4054097 c/ Jordi Girona 1-3, Edifici D6 08034-Barcelona (Spain)

This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world _______________________________________________ Snort-devel mailing list