Re: [Snort-devel] Snort Pattern Search Algorithms

On Tue, Apr 06, 2004 at 10:35:25AM -0400, Marc Norton wrote: Hello,

> Snort uses a variant of the Wu-Manber algorithm, and a straight forward

while we're at it. I've got the following question concerning the implementation of the wu-manber multi-pattern matcher.

As far as i could see "normal" traffic is searched using the function mwmSearchExBC which implements a one character shifttable/two character hashtable wu-manber search.

The function mwmSearchExBW which implements the two character shifttable version is only used when explicitly asked for (by calling mwmLargeShifts aka. mpseLargeShifts). Which is only done for searching URI-Content.

What's the reason behind this? Why isn't mwmSearchExBW suitable for all traffic?
Shouldn't it perform better than mwwSearchExBC? Why not? I thought a shifttable which is accessed by a block of characters would perform better than a shifttable accessed by a single character.

TIA Frank Meerkoetter

-- 
mixed emotions:
	Watching a bus-load of lawyers plunge off a cliff.
	With five empty seats.


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.
http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related snort.org Links snort-announce snort-cvsinfo snort-devel snort-sigs snort-users Request more information about Pantek