OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: network based IDS
From: Bennett Todd (betRAHUL.NET)
Date: Fri Dec 08 2000 - 18:41:56 CST

2000-12-08-17:13:58 Robert Graham:
> Network ICE is perversely "branchy" code, where most "signatures"
> branch to a specific location in the packet and do a single match
> for a pattern. Therefore, reducing the number of signatures will
> not have any impact on the performance of Network ICE.

That sounds a little reminiscent of the basic concept in Boyer-Moore
searching; find a more efficient test for quick screening than the
most naive and obvious start-from-the-beginning.

But the way you phrase your description, it _sounds_ more like
you're saying that each signature's search is particularly
well optimized, in the spirit of B-M search; but I don't see
your "Therefore" following from your description of the search
optimization. To get your "Therefore" (more sigs don't linearly slow
down the scan) you'd need to be doing something more like the fgrep
concept, organize all the candidate patterns somehow and build a
search tree automatically to get O(lgN)-ish scaling with number of
patterns. Was that what you meant? It'd be pretty scary to see the
Boyer-Moore-style optimization combined with the weeding-tree style,
but then, people managed to find a way to bolt B-M into regexp
engines, so there's definitely some scary people out there.

-Bennett

  • application/pgp-signature attachment: stored