IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IDS\IPS that can handle one Gig

From: Mike Frantzen <frantzen () nfr com>
Date: Mon, 6 Jun 2005 10:26:52 -0400


Think about it from an architectural perspective - these devices have a
single REGEX processor, and performance will degrade the more signatures you
tell this processor to look for.


There are a plethora of multi-pattern regex algorithms that even with a
ton of patterns will only walk the packet data once (not many times as
most people would think).  Shift-Or, Aho-Corasick and DFAs are the ones
that immedietly jump to mind.  IIRC they're all between O(n) and O(n+m)
where 'n' is your data length and 'm' is your maximum pattern size.
Notice that the algorimic complexities don't care about the number of
signatures...


There are other reasons not to design intrusion detection/prevention
around pattern matching.  But performance is certainly not one.

The perfomanace nut in me wishes we at NFR could switch our product to
pattern matching.  Then I remember I'm a security guy.
 
.mike
frantzen@(nfr.com | cvs.openbsd.org | w4g.org)
PGP:  CC A4 E2 E8 0C F8 42 F0  BC 26 85 5B 6F 9E ED 28

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: