[Winpcap-users] Full content-based filtering
Loris Degioanni
loris.degioanni at gmail.com
Thu Jun 23 07:11:35 GMT 2005
Oren Becker wrote:
> Hi.
>
> Do you think it's possible, efficiency-wise, to run a multi-pattern
> string matching algorithm to filter packets according to their contents?
> (search for many strings of various lengths)
>
> Have any efforts been done in this direction?
Yes, a lot of efforts.
First, you need a good flow reassembly engine, because matching patterns
on single packets is not of great use. This is not trivial at all.
Second, you use one of the many multi-string search algorithms (I think
that variants of Aho/Corasick are still the most used).
Two papers that I have handy and that you can start with:
C. J. Coit, S. Staniford and J. McAlerney, Towards Faster String
Matching for Intrusion Detection or Exceeding the Speed of Snort, DARPA
Information Survivability Conference and Exposition (DISCEX II), August
2001.
M. Fisk and G. Varghese, An analysis of fast string matching applied to
content-based forwarding and intrusion detection, IEEE INFOCOM 2002.
I think the authors of Snort worked quite heavily on the subject, so I'm
sure you can find a lot of information (including sources to study) at
www.snort.org.
Loris
More information about the Winpcap-users
mailing list