[Oisf-devel] PR: Hyperscan MPM integration
Viiret, Justin
justin.viiret at intel.com
Wed Mar 16 04:30:37 UTC 2016
Hi everyone,
Late last year, Geoff Langdale gave a talk at the OISF Suricata conference about Intel's Hyperscan pattern matcher and an early integration with Suricata. This integration uses Hyperscan as an MPM algorithm, used for bulk literal scanning.
I have just submitted a PR on Github with the code, and we would love to see it accepted upstream for more general use within the Suricata community.
The first PR is here: https://github.com/inliniac/suricata/pull/1941
Geoff's slides from the conference: https://openisf.files.wordpress.com/2015/11/oisf-keynote-2015-geoff-langdale.pdf
(As Geoff says, there is lots of scope for making more use of Hyperscan for regex matching in Suricata further down the track.)
You can get Hyperscan from its official site <https://01.org/hyperscan> and you can find a guide to building it in the "Getting Started" section of the documentation linked from that page.
Some small caveats:
* Hyperscan will run on x86 processors in 64-bit (Intel 64 Architecture) and 32-bit (IA-32 Architecture) modes. At a minimum, support for Supplemental Streaming SIMD Extensions 3 (SSSE3) is required, which should be available on any modern x86 processor.
* Hyperscan has a few dependencies (CMake, Boost, Ragel) and require a C++11-capable C++ compiler.
* To link Suricata against Hyperscan you must build Hyperscan with shared libraries, as otherwise the C++ standard library won't be pulled in when the Suricata binary is linked.
If anyone would like to test the code and see how it performs, we would love to see some feedback!
Best regards,
Justin
More information about the Oisf-devel
mailing list