[prads-devel] some thoughts on a new signature API
Edward Bjarte Fjellskål
edward.fjellskal at redpill-linpro.com
Tue Feb 2 12:39:40 CET 2010
Kacper Wysocki wrote:
> Hey folks,
> I've committed the p0f signature loading and matching code but I have
> yet to review & refactor it, or even call it from the codepath.
> It's going to be optional/on-by-default, as we want to see what impact
> matching has on performance, and even do matching offline/decoupled from
> the critical path.
> However, my thoughts real quick are that the signature/fp code is
> streamlined so that we have -one- interface for any and all
> fingerprinting techniques.
> What do I mean by that?
> - one function to load_sigs(filename, hashbucket [, max])
> - one function to find_match(packetinfo *pi, fp_entry *e) [ for instance!)
> - one function to print_fp(fp_entry *e) which generates a
> the same interface can then be used to implement various different
> signature matching algorithms for various different protocols.
> Furthermore, a find_match() should ideally just update a pointer in the
> asset struct that points to the fp_entry corresponding to the best
> matching signature, copying-less :-)
Only problem here would be if we kill -HUP to reread signaturefiles,
and then the pointers from the asset struct would be a challange.
But hey - I dont think this is in the roadpath, so I dont see a real
> I will be working on this stuff in the days ahead. Thoughts are welcome,
> as I need a sounding board.
I think you are on a good path! walk it :)
> prads-devel mailing list
> prads-devel at projects.linpro.no
More information about the prads-devel