EEJournal

editor's blog
Subscribe Now
July 27, 2011

Open-Source DPI

by Bryon Moyer

Deep packet inspection (DPI) is all about understanding what’s in network traffic – minimally, to be aware of it (an intrusion detection system, or IDS), but, more commonly these days, to do something about it (an intrusion prevention system, or IPS).

Part 1 of our DPI coverage was motivated by a DPI bake-off run by Netronome. The benchmark used was the Snort algorithm. Snort is a free, open-source program for implementing IDS or IPS, and it has been widely used. It consists of the program itself and a body of rules that are being updated regularly. This “crowdsourcing” of rules is one of the things that make Snort appealing. An installation of Snort can be regularly updated with new rules.

Snort can operate in one of three modes. The first two simply display packets: one on screen, the other by logging to files. The third mode is the most powerful one: it can search for content in a packet and then, optionally, do something if the looked-for thing shows up. When used passively alongside the network, Snort acts as an IDS. When placed inline, as a “bump in the wire,” Snort acts as an IPS and can block, pass, create, or modify packets.

The key to Snort is the body of rules, both those that exist and new ones that can be created. Each rule consists of a header and a set of options. The header specifies an action as well as traffic information about the packet to be monitored (source, destination, port, etc.). The options provide alert messages and content to be located, as well as possible limitations on where to look for the content.

Content searching is done largely based on regular expressions. There are more than 4000 rules at present. This creates a major computing burden, since all rules theoretically need to be run against all packets. The fact that the rules are independent suggests that many rules could be run in parallel using independent content inspection engines, each of which would handle separate rules.

The problem is that all these rules require searching the packet, which is stored in memory, and there aren’t that many ports allowing simultaneous access to the packet. Making multiple copies of the packet takes too long, which leaves running the rules in series as the only option.

The way this is handled is that the rules are constructed hierarchically and compiled into a tree so that, as the packet is searched, the tree is traversed, effectively eliminating rules that aren’t being met and allowing for a much smaller subset of rules to be run.

The execution of all these regular expression checks is still significant work, and, in a future article, we’ll look at one option for accelerating that work.

More info on Snort is available here

Leave a Reply

featured blogs
Check Out the Latest Mobile Experience Upgrades on Samtec.com
Oct 20, 2020
In 2020, mobile traffic has skyrocketed everywhere as our planet battles a pandemic. Samtec.com saw nearly double the mobile traffic in the first two quarters than it normally sees. While these levels have dropped off from their peaks in the spring, they have not returned to ...
More from Samtec, Inc....
Voltus Voice: Accelerate Power Signoff and Design Closure with Targeted Local PG Addition
Oct 20, 2020
Voltus TM IC Power Integrity Solution is a power integrity and analysis signoff solution that is integrated with the full suite of design implementation and signoff tools of Cadence to deliver the... [[ Click on the title to access the full blog on the Cadence Community site...
More from Cadence...
Robinson, Goldberg, and Steampunk Meet Beer and Cucumbers
Oct 19, 2020
Have you ever wondered if there may another world hidden behind the facade of the one we know and love? If so, would you like to go there for a visit?...
More from Max\'s Cool Beans...
Letting the Math Do the Talking
Oct 16, 2020
[From the last episode: We put together many of the ideas we'€™ve been describing to show the basics of how in-memory compute works.] I'€™m going to take a sec for some commentary before we continue with the last few steps of in-memory compute. The whole point of this web...
More from Inside the IoT...

featured video

Demo: Inuitive NU4000 SoC with ARC EV Processor Running SLAM and CNN

Sponsored by Synopsys

See Inuitive’s NU4000 3D imaging and vision processor in action. The SoC supports high-quality 3D depth processor engine, SLAM accelerators, computer vision, and deep learning by integrating Synopsys ARC EV processor. In this demo, the NU4000 demonstrates simultaneous 3D sensing, SLAM and CNN functionality by mapping out its environment and localizing the sensor while identifying the objects within it. For more information, visit inuitive-tech.com.

Click here for more information about DesignWare ARC EV Processors for Embedded Vision

featured Paper

New package technology improves EMI and thermal performance with smaller solution size

Sponsored by Texas Instruments

Power supply designers have a new tool in their effort to achieve balance between efficiency, size, and thermal performance with DC/DC power modules. The Enhanced HotRod™ QFN package technology from Texas Instruments enables engineers to address design challenges with an easy-to-use footprint that resembles a standard QFN. This new package type combines the advantages of flip-chip-on-lead with the improved thermal performance presented by a large thermal die attach pad (DAP).

Click here to download the whitepaper

Featured Chalk Talk

Hello FPGA

Sponsored by Mouser Electronics and Microchip

Getting started on an FPGA-based embedded vision project can be tricky. Locating all the components you need, getting them to talk to each other, and just getting your system to the video equivalent of “Hello World” is a pretty daunting task. In this episode of Chalk Talk, Amelia Dalton chats with Avery Williams of Microchip Technology about the Hello FPGA kit - a low-cost, low-touch embedded vision kit for engineers new to FPGAs.

More information about Microchip Technology Hello FPGA Kit