EEJournal

editor's blog
Subscribe Now
July 27, 2011

Open-Source DPI

by Bryon Moyer

Deep packet inspection (DPI) is all about understanding what’s in network traffic – minimally, to be aware of it (an intrusion detection system, or IDS), but, more commonly these days, to do something about it (an intrusion prevention system, or IPS).

Part 1 of our DPI coverage was motivated by a DPI bake-off run by Netronome. The benchmark used was the Snort algorithm. Snort is a free, open-source program for implementing IDS or IPS, and it has been widely used. It consists of the program itself and a body of rules that are being updated regularly. This “crowdsourcing” of rules is one of the things that make Snort appealing. An installation of Snort can be regularly updated with new rules.

Snort can operate in one of three modes. The first two simply display packets: one on screen, the other by logging to files. The third mode is the most powerful one: it can search for content in a packet and then, optionally, do something if the looked-for thing shows up. When used passively alongside the network, Snort acts as an IDS. When placed inline, as a “bump in the wire,” Snort acts as an IPS and can block, pass, create, or modify packets.

The key to Snort is the body of rules, both those that exist and new ones that can be created. Each rule consists of a header and a set of options. The header specifies an action as well as traffic information about the packet to be monitored (source, destination, port, etc.). The options provide alert messages and content to be located, as well as possible limitations on where to look for the content.

Content searching is done largely based on regular expressions. There are more than 4000 rules at present. This creates a major computing burden, since all rules theoretically need to be run against all packets. The fact that the rules are independent suggests that many rules could be run in parallel using independent content inspection engines, each of which would handle separate rules.

The problem is that all these rules require searching the packet, which is stored in memory, and there aren’t that many ports allowing simultaneous access to the packet. Making multiple copies of the packet takes too long, which leaves running the rules in series as the only option.

The way this is handled is that the rules are constructed hierarchically and compiled into a tree so that, as the packet is searched, the tree is traversed, effectively eliminating rules that aren’t being met and allowing for a much smaller subset of rules to be run.

The execution of all these regular expression checks is still significant work, and, in a future article, we’ll look at one option for accelerating that work.

More info on Snort is available here

Leave a Reply

featured blogs
This Week in CFD
Jan 21, 2022
Here are a few teasers for what you'll find in this week's round-up of CFD news and notes. How AI can be trained to identify more objects than are in its learning dataset. Will GPUs really... [[ Click on the title to access the full blog on the Cadence Community si...
More from Cadence...
The Future of High-Performance Computing (HPC): Key Predictions for 2022
Jan 20, 2022
High performance computing continues to expand & evolve; our team shares their 2022 HPC predictions including new HPC applications and processor architectures. The post The Future of High-Performance Computing (HPC): Key Predictions for 2022 appeared first on From Silico...
More from Synopsys...
Wonderful Wordle
Jan 20, 2022
As Josh Wardle famously said about his creation: "It's not trying to do anything shady with your data or your eyeballs ... It's just a game that's fun.'...
More from Max's Cool Beans...

featured video

Synopsys & Samtec: Successful 112G PAM-4 System Interoperability

Sponsored by Synopsys

This Supercomputing Conference demo shows a seamless interoperability between Synopsys' DesignWare 112G Ethernet PHY IP and Samtec's NovaRay IO and cable assembly. The demo shows excellent performance, BER at 1e-08 and total insertion loss of 37dB. Synopsys and Samtec are enabling the industry with a complete 112G PAM-4 system, which is essential for high-performance computing.

Click here for more information about DesignWare Ethernet IP Solutions

featured paper

nanoPower Module Extends Battery Life in Space-Constrained Applications

Sponsored by Analog Devices

Designers can now increase battery life and reduce size in space-constrained IoT devices with a power module that features the lowest quiescent current compared to competitive solutions and uSLIC built-in inductor technology that reduces solution size by up to 37%.

Read Now

featured chalk talk

Accelerating Innovation at the Edge with Xilinx Adaptive System on Modules

Sponsored by Xilinx

The combination of system-on-module technology with advanced SoCs with programmable logic offer the ultimate in functionality, performance, flexibility, power efficiency, and ease of use. In this episode of Chalk Talk, Amelia Dalton chats with Karan Kantharia of Xilinx about the new Kira SOM, and how it enables faster time-to-deployment versus conventional component-based design.

Click here for more information about Kria Adaptive System-on-Modules