[prads-devel] some thoughts on a new signature API
Kacper Wysocki
kwy at redpill-linpro.com
Tue Feb 2 12:11:38 CET 2010
Hey folks,
I've committed the p0f signature loading and matching code but I have
yet to review & refactor it, or even call it from the codepath.
It's going to be optional/on-by-default, as we want to see what impact
matching has on performance, and even do matching offline/decoupled from
the critical path.
However, my thoughts real quick are that the signature/fp code is
streamlined so that we have -one- interface for any and all
fingerprinting techniques.
What do I mean by that?
- one function to load_sigs(filename, hashbucket [, max])
- one function to find_match(packetinfo *pi, fp_entry *e) [ for instance!)
- one function to print_fp(fp_entry *e) which generates a
char*-representation
the same interface can then be used to implement various different
signature matching algorithms for various different protocols.
Furthermore, a find_match() should ideally just update a pointer in the
asset struct that points to the fp_entry corresponding to the best
matching signature, copying-less :-)
I will be working on this stuff in the days ahead. Thoughts are welcome,
as I need a sounding board.
0K
More information about the prads-devel
mailing list