[Winpcap-users] Full content-based filtering

Loris Degioanni loris.degioanni at gmail.com
Fri Jun 24 23:46:12 GMT 2005 

I mean reconstructing the tcp flows from the packets transiting on the 
network. This of course requires to reassemble IP fragments too.

Loris


Oren Becker wrote:
> Thanks for the answer.
> 
> When you say flow-reassembly, you mean putting the IP packets toghether 
> in the order they were sent?
> 
> 
> ----- Original Message ----- From: "Loris Degioanni" 
> <loris.degioanni at gmail.com>
> To: <winpcap-users at winpcap.org>
> Sent: Thursday, June 23, 2005 9:11 AM
> Subject: Re: [Winpcap-users] Full content-based filtering
> 
> 
>> Oren Becker wrote:
>>
>>> Hi.
>>>  Do you think it's possible, efficiency-wise, to run a multi-pattern 
>>> string matching algorithm to filter packets according to their contents?
>>> (search for many strings of various lengths)
>>>  Have any efforts been done in this direction?
>>
>>
>> Yes, a lot of efforts.
>> First, you need a good flow reassembly engine, because matching 
>> patterns on single packets is not of great use. This is not trivial at 
>> all.
>> Second, you use one of the many multi-string search algorithms (I 
>> think that variants of Aho/Corasick are still the most used).
>> Two papers that I have handy and that you can start with:
>>
>> C. J. Coit, S. Staniford and J. McAlerney, Towards Faster String 
>> Matching for Intrusion Detection or Exceeding the Speed of Snort, 
>> DARPA Information Survivability Conference and Exposition (DISCEX II), 
>> August 2001.
>>
>> M. Fisk and G. Varghese, An analysis of fast string matching applied 
>> to content-based forwarding and intrusion detection, IEEE INFOCOM 2002.
>>
>> I think the authors of Snort worked quite heavily on the subject, so 
>> I'm sure you can find a lot of information (including sources to 
>> study) at www.snort.org.
>>
>> Loris
>> _______________________________________________
>> Winpcap-users mailing list
>> Winpcap-users at winpcap.org
>> https://www.winpcap.org/mailman/listinfo/winpcap-users 
> 
> 
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>

More information about the Winpcap-users mailing list