[Oisf-devel] Pattern match algorithms

Victor Julien victor at inliniac.net
Sat Jul 24 09:16:43 UTC 2010

Robert Kerr wrote:
> Hi,
> I was wondering if the different pattern match algorithms are documented
> anywhere? The default seems to be b2g, but are there cases where b3g
> would be better? or wumanber? With snort the different algorithms mostly
> seem to be a time/memory trade off - the AC based algorithms being
> faster but more memory intensive. With suricata you seem to be able to
> tune the hash_size and bf_size for most of the algorithms. Is it safe to
> assume a bigger hash_size/bf_size means more speed?

Actually the hash_sizes seem to be broken, so I'd leave that at the
default for now.

b2g and b3g are a 2 and 3 gram version of the BNDM algorithm (see
http://www.siam.org/proceedings/alenex/2009/alx09_003_durianb.pdf, pdf
alert). In my very limited testing the 2 gram version is usually faster,
but way more testing is needed.


Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-devel mailing list