[Bro] hyperscan and bro
erik clark
philosnef at gmail.com
Thu Nov 17 07:07:33 PST 2016
Matching acceleration. Currently, we do not have groups in our regexes in
Bro. From a practical point of view, neither does hyperscan. Moving to an
accelerated regex matching engine with roughly the same features as the
current implementation through flex in bro would allow for more expensive
expressions to be rolled out with less overhead. We have seen issues with
some moderately intense regular expressions causing giant spikes in load,
and pushing it through hyperscan would help alleviate it. I realize this
constitutes a major departure from how they are handled currently, but
thought if there was interest, we might be able to push it into 2.6 or even
as far out as 2.7....
On Thu, Nov 17, 2016 at 9:18 AM, Seth Hall <seth at icir.org> wrote:
>
> > On Nov 15, 2016, at 4:36 AM, erik clark <philosnef at gmail.com> wrote:
> >
> > Anyone looked into doing hyperscan for pattern matching in Bro? The
> current pattern matching is very MEH, and it makes me wonder if it might be
> possible to use hyperscan and a plugin to do more intense pattern matching.
>
> Is there something in particular that you are unable to do that hyperscan
> would enable?
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161117/e86a7f4b/attachment.html
More information about the Bro
mailing list