Fast Packet Classification for Snort by Native Compilation of Rules
Source: Stony Brook University
Signature matching, which includes packet classification and content matching, is the most expensive operation of a signature-based Network Intrusion Detection System (NIDS). This paper presents a technique to improve the performance of packet classification of Snort, a popular open-source NIDS, based on generating native code from Snort signatures. An obvious way to generate native code for packet classification is to use a low-level language like C to access the contents of a packet by treating it as a sequence of bytes. Generating such low-level code manually can be cumbersome and error prone. Use of a high-level specification language can simplify the task of writing packet classification code.