[Snort-devel] How the rules are organized for packets matching?

Randal T. Rioux randy at ...3004...
Tue Aug 2 19:49:47 EDT 2011


On 7/30/2011 11:22 PM, Peter Peng wrote:
> We aim to adopt the GPU using OpenCL to accelerate the pcre_exec()
> operation. How the rules are organized for packets matching? As far as i
> see, the pcre_exec is called by function ruleMatch(void *p, Rule *rule),
> in which only one rule will be used to test for the packet. I wonder
> there is a loop calling ruleMatch() with different rules? Thx.

I've talked to Marty about this before, and he had some good points as
to why this isn't really a production-ready feature for IDS/IPS
solutions. Of course I don't remember his exact verbiage :-)

This also applies to SMP (multiple CPUs/cores).

As far as I know, mapping the state pointers to a consistent array is a
very complicated accomplishment. This, along with what happens to the
packets between the NIC and CPU/GPUs, make performance unpredictable
(well, at least predictably slower given the current state).

This being said, I've only recently started seriously looking at GPU
computation methods. Having only CUDA (nVidia) and Stream (ATI)
libraries to work with is unsettling. I don't like vendor lock-in.
OpenCL looks promising, but Apple has a way of messing up good
technology in spectacular ways!

Randy




More information about the Snort-devel mailing list