Snort 2 – key features, improvements, and limitations
In this section, we will continue to study how Snort continued its evolution. Snort 2.x releases continued to add key features to Snort functionality. However, there was significant importance given to performance – the in-depth analysis had to be done in an efficient way so that the system could keep up with increasing network traffic loads.
The number of signatures was going up, and the performance of the IDS was affected. Snort 2.0 came with a significant enhancement – introducing multi-pattern search. Multi-pattern searches such as the Aho-Corasick algorithm enabled an O(1) search across all the signatures for a given packet or stream data, and this resulted in a subset of signatures that needed to be completely evaluated. This gave a significant performance improvement for Snort. In addition, Snort 2.0 introduced the concept of HTTP flow-based analysis.
The main features of Snort 2.0 were the addition...
