[Snort-devel] Hyperscan pattern matcher integration for Snort 2.9.8.2

Viiret, Justin justin.viiret at ...3635...
Wed Jun 8 20:57:17 EDT 2016


Hi all,

Hyperscan is a high-performance regular expression matching library from Intel, released as open source software under a 3-clause BSD license. Although there is already some use of Hyperscan in Snort++, we at Intel have also received requests for a Hyperscan integration into Snort 2.9.x.

Accordingly, we have put together a patch against Snort 2.9.8.2 which adds support for using the Hyperscan library to accelerate some of the pattern matching tasks in Snort. This integrates Hyperscan library usage into three places:

1. A new multi-pattern literal matcher (MPSE module) called "hyperscan".
2. A faster single-pattern content string matcher, replacing the Boyer-Moore approach used by default.
3. A prefilter for PCRE, where Hyperscan is used as a prefilter check for regex options before PCRE is run. Expressions that are expensive to evaluate in PCRE may be avoided entirely depending on the result of the prefilter.
 
You can find the patch here, including a README with instructions for its use:

    https://01.org/hyperscan/downloads/hyperscan-integration-snort-2.9.8.2

You can find more information about the Hyperscan library here:

Website: https://01.org/hyperscan
Github: https://github.com/01org/hyperscan

Please get in touch if you have any feedback on the patch!

Best regards,
    Justin





More information about the Snort-devel mailing list