Pattern matching vs Regular expression

Dornbrook, Nathan Nathan.Dornbrook at
Mon May 27 04:08:13 PDT 2002

For what it's worth, ISS RealSecure purchased NetworkICE for the sole reason
of getting their hands on multiple pattern matching and heuristic tree
pruning with regards to where to look.

So ISS RealSecure v6.5 now doesn't search the whole packet for long strings
of "%20" for example, or "/././././cgi-bin/*.phf" Instead it looks soleley
in the packet payload.

By the same token, it won't look for solitary FIN packets out of sequence in
the packet payload, either.

These were both features of NetworkICE - and are part of the improved
capability derived from Network Associates Sniffer Pro (the authors of
Sniffer Pro went on to form NetworkICE after selling out).

The advances that both Snort and NetworkICE bring to the table include not
only searching in multiple parts of the packet simultaneously and
intelligently matching different vulnerabilities against the parts of the
packet that they can be found, but also a re-written packet driver that
pulls packets in promiscuous mode at much higher speed than the OSes can.


Nathan Dornbrook
Head of Network Security
Royal Bank of Scotland
Regus House, 10 Lochside Place 
Edinburgh Park, Edinburgh
EH12 9RG
* 0131-523 9299 
e*  dornbrn at

-----Original Message-----
From: LHP [mailto:lihp at]
Sent: 27 May 2002 10:16
To: Vern Paxson
Cc: Ashley Thomas; bro at
Subject: re: Pattern matching vs Regular expression 

hi, dear  all, 

I have just read some source code, and found In snort, an implementation of
a Aho-Corasick like Boyer-Moore Style Searching Algorthim has given, it
allows multiple patterns to be searched for in a packet at the same time.and
the snort content rules are placed in a Aho-Corasick like keyword search
tree that overlaps similar prefixes.  

best regards

Li hongpei

发件人: Vern Paxson [mailto:vern at]
发送时间: 2002年5月24日 22:19
收件人: LHP
抄送: Ashley Thomas; bro at
主题: Re: 答复: Pattern matching vs Regular expression 

> how about the multi-pattern matching algorithms?

Yes, that's what I'm referring to.





More information about the Bro mailing list