[Bro] Use of GPUs for signature matching?
Sunjeet Singh
sstattla at gmail.com
Mon Oct 18 10:31:13 PDT 2010
Bro currently follows a single-threaded model in which every incoming
packet is first filtered, analyzed for protocol based on its signature
(and not simply port-number) and then handled according to a
user-defined policy for that protocol. While Bro provides mechanisms to
distribute the processing of the handled policy events, the protocol
analysis poses a performance bottleneck in that it might not be able to
keep up with the speed of incoming packets.
In Bro's signature matching engine, connections sometimes trigger more
than one signature and so can not be immediately associated with a
protocol. But as more connection packets arrive, a better decision about
the protocol involved can be made. During this process, different
protocol analyzers may be spawned and killed until finally the right
protocol is arrived at. Regular expression matching is done here to
match signatures.
I believe that GPUs can be used here to perform parallel signature
matching by different protocol analyzers, thus speeding up the protocol
analysis phase. With this, Bro would be able to operate at a higher
packet rate than it does now.
If this is true, I would like to do this. I will appreciate if you could
share your thoughts.
Snort's packet processing throughput increased by 60% with the use of
GPUs ( http://www.springerlink.com/content/b3m7662014272t8m/ ) and
Suricata has plans to introduce GPUs (
http://blog.securitymonks.com/2010/08/26/three-little-idsips-engines-build-their-
open-source-solutions/ ).
Thank you,
Sunjeet Singh
More information about the Bro
mailing list