Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Stuart Staniford (stuartsilicondefense.com)
Date: Mon Aug 06 2001 - 21:32:21 CDT
> The second bottleneck is NIDS analysis at high rates. Most NIDS use
> "pattern-match", which has the property that the more signatures you add,
> the slower it becomes. Network ICE uses "state-based protocol-analysis",
> which means that it does't slow down as you add signatures because it
> follows a decision tree.
Mmmm. Pattern matching need not degrade linearly with the number of signatures - the
pattern match can be organized into a tree also. See
And protocol analysis approaches such as you describe must degrade somewhat with more
signatures, because the depth of the decision tree is increasing (presumably that
degradation is linear).
[This is not intended as a general comment on pattern-matching versus protocol analysis,
just a clarification that this particular argument Rob makes is much less clear-cut than
-- Stuart Staniford --- President --- Silicon Defense ** Silicon Defense: Technical Support for Snort ** mailto:stuartsilicondefense.com http://www.silicondefense.com/ (707) 445-4355 x 16 (707) 445-4222 (FAX)