[Winpcap-users] Full content-based filtering
Oren Becker
orenbecker at bezeqint.net
Thu Jun 23 18:29:10 GMT 2005
Thanks for the answer.
When you say flow-reassembly, you mean putting the IP packets toghether in
the order they were sent?
----- Original Message -----
From: "Loris Degioanni" <loris.degioanni at gmail.com>
To: <winpcap-users at winpcap.org>
Sent: Thursday, June 23, 2005 9:11 AM
Subject: Re: [Winpcap-users] Full content-based filtering
> Oren Becker wrote:
>> Hi.
>> Do you think it's possible, efficiency-wise, to run a multi-pattern
>> string matching algorithm to filter packets according to their contents?
>> (search for many strings of various lengths)
>> Have any efforts been done in this direction?
>
> Yes, a lot of efforts.
> First, you need a good flow reassembly engine, because matching patterns
> on single packets is not of great use. This is not trivial at all.
> Second, you use one of the many multi-string search algorithms (I think
> that variants of Aho/Corasick are still the most used).
> Two papers that I have handy and that you can start with:
>
> C. J. Coit, S. Staniford and J. McAlerney, Towards Faster String Matching
> for Intrusion Detection or Exceeding the Speed of Snort, DARPA Information
> Survivability Conference and Exposition (DISCEX II), August 2001.
>
> M. Fisk and G. Varghese, An analysis of fast string matching applied to
> content-based forwarding and intrusion detection, IEEE INFOCOM 2002.
>
> I think the authors of Snort worked quite heavily on the subject, so I'm
> sure you can find a lot of information (including sources to study) at
> www.snort.org.
>
> Loris
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
More information about the Winpcap-users
mailing list