> I have just read some source code, and found In snort, an implementation
> of a Aho-Corasick like Boyer-Moore Style Searching Algorthim has given,
> it allows multiple patterns to be searched for in a packet at the same
> time.and the snort content rules are placed in a Aho-Corasick like keyword
> search tree that overlaps similar prefixes.
Right - we're aiming for something along those lines, though a bit different.
Vern
For what it's worth, ISS RealSecure purchased NetworkICE for the sole reason
of getting their hands on multiple pattern matching and heuristic tree
pruning with regards to where to look.
So ISS RealSecure v6.5 now doesn't search the whole packet for long strings
of "%20" for example, or "/././././cgi-bin/*.phf" Instead it looks soleley
in the packet payload.
By the same token, it won't look for solitary FIN packets out of sequence in
the packet payload, either.
These were both features of NetworkICE - and are part of the improved
capability derived from Network Associates Sniffer Pro (the authors of
Sniffer Pro went on to form NetworkICE after selling out).
The advances that both Snort and NetworkICE bring to the table include not
only searching in multiple parts of the packet simultaneously and
intelligently matching different vulnerabilities against the parts of the
packet that they can be found, but also a re-written packet driver that
pulls packets in promiscuous mode at much higher speed than the OSes can.
Cheers!
Nathan Dornbrook
Head of Network Security
Royal Bank of Scotland
Regus House, 10 Lochside Place
Edinburgh Park, Edinburgh
EH12 9RG
* 0131-523 9299
e* dornbrn(a)rbos.co.uk
-----Original Message-----
From: LHP [mailto:lihp@cn.is-one.net]
Sent: 27 May 2002 10:16
To: Vern Paxson
Cc: Ashley Thomas; bro(a)lbl.gov
Subject: re: Pattern matching vs Regular expression
hi, dear all,
I have just read some source code, and found In snort, an implementation of
a Aho-Corasick like Boyer-Moore Style Searching Algorthim has given, it
allows multiple patterns to be searched for in a packet at the same time.and
the snort content rules are placed in a Aho-Corasick like keyword search
tree that overlaps similar prefixes.
best regards
Li hongpei
-----原始邮件-----
发件人: Vern Paxson [mailto:vern@icir.org]
发送时间: 2002年5月24日 22:19
收件人: LHP
抄送: Ashley Thomas; bro(a)lbl.gov
主题: Re: 答复: Pattern matching vs Regular expression
> how about the multi-pattern matching algorithms?
Yes, that's what I'm referring to.
Vern
????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
?????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????????????????????????????????????????
> >The latest public snapshot is
> >
> > ftp://ftp.ee.lbl.gov/.vp-bro-pub-0.7a90.tar.gz
> ~~~What is it mean? :)
> I searchde through the ftp.ee.lbl.gov , but can not find it. Would you tell
> me the addrees in detail? Thanks alot.
That's the correct URL. If your browser can't fetch it, use ordinary FTP.
The file is "invisible" due to its leading '.', but it's definitely there
and fetchable.
Vern
> where I can get source code of the bro ?
The latest public snapshot is
ftp://ftp.ee.lbl.gov/.vp-bro-pub-0.7a90.tar.gz
I hope to get a significantly enhanced version out the door mid-Summer.
We've added a lot, but haven't put together all the documentation for it yet.
Vern
> Apart from that speed-wise is reg-exp matching still much faster than
> simple sring matching like Bayer-moore or similar algos ??
Regular expression matching is comparable in speed to simple string
matching, and (generally) slower than Boyer-Moore *for single strings*.
Where it can gain performance is that it can efficiently match a lot of
strings in parallel. Robin Sommer & I are now working on using this to
significantly enhance Bro's signature-matching capabilities - stay tuned.
Vern
hi,
Usage of Regular expression for pattern matching is anytime better than
using simple string matching in the sense that
- it gives more power
- it can reduce the number of signatures needed.
Apart from that speed-wise is reg-exp matching still much faster than
simple sring matching like Bayer-moore or similar algos ??
any pointers or references will be great.
thanks a lot
ashley
Hi, pals!
I have got some some IP fragment packages of a large datagram.
(more than 1500 bytes). Can I use Bro to reassemble the IP packages?
Another question, if I have a large datagram from higher level (maybe TCP),
can I use Bro to fragment the large datagram into small IP packages?
Best regards,
George Ma
I use "./bro -i eth0 tcp.bro -w tom.log" command to save the log to my
specific log file-tom.log,but I can only use "./bro -r tom.log" to read
it.All other application or viewer such as vi and gedit can NOT read
it.Does this because the file format of this log file is NOT ASCII
format?Please tell me how to deal with this problem.Thank you.
_________________________________________________________________
与联机的朋友进行交流,请使用 MSN Messenger:
http://messenger.microsoft.com/cn
