Stream5 and Frag3 preprocessors

[Pablo Cantos <pablocantos () gmail com>]

Hi all,

Im just starting my End of College Project. Its going to be based on
improving Snort performance by prefiltering the pattern matching stage with
some Bloom's based algorithm.

In order to do this, the packets need to be already defragmented and
streamed, as if doing this before reaching Snort might sound good but would
be extremely insecure.

Thus, I want to take advantage of the work done by Stream5 and Frag3
preprocessors.

My question is, where is the best place to do this? Should I implement this
as a preprocessor itself or should I modify existing Pattern Matching calls
to do it. This second task is a bit easier now as Sourcefire did a nice
abstraction job to integrate Intel's QuicAssit Pattern Patcher, but I guess
will be still easier to do so as a preprocessor.

What do you guys suggest?

Very thankful in advance.

------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!