|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Martin Roesch (roesch
sourcefire.com)Date: Wed Jan 02 2002 - 12:43:00 CST
Hi Neil,
The "3rd dimension" is the linked list of function pointers that
hangs off of each node in the RTN-OTN "tree" (table). The list of
function pointers is walked (recursively) as each node is accessed on
the tree, so each data node in the tree knows how to test itself against
the current packet. There are some further optimizations that can be
done to make it even faster, but I found that we became I/O bound before
we hit the wall on how fast the tree can be traversed.
There's no real documentation on this per se, but it's hinted at in the
1999 "lisapaper.txt" from the USENIX LISA conference that's up at
www.snort.org and you can see how the whole thing is built in
rules.[h|c] in the Snort source distro. The detection engine starts in
the function Detect() therein.
-Marty
ndesai01tampabay.rr.com wrote:
>
> I thought that snort only used a two dimentional linked
> list for the rule matching in the detection engine. I
> read Marty's presentation at BlackHat and he states
> that snort now uses a 3 dimentional linked list. Can
> any one please explain this to me or point me to
> some documentation on this. Thanks.
>
> Neil
-- Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999 Sourcefire: Professional Snort Sensor and Management Console appliances roesch
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]