hyperscan
hyperscan copied to clipboard
intel
[QUESTION] How to clear singlematch status between multi hs_scan_stream
Hi all
I want to do like hs_scan_stream->hs_scan_stream->hs_scan_stream, but singlematch flag will keep in multi scan, so i want to do like hs_scan_stream->clear_single_match_status->hs_scan_stream->clear_single_match_status->hs_scan_stream, how to do like that? Where is the singlematch cache in source code?
What's your use case? Seems you want single match in each stream block, not the whole stream?
What's your use case? Seems you want single match in each stream block, not the whole stream?
YES, I just want to singlematch in each stream block. We have some short rules, it will trigger multi match in a packet, so we add singlematch flag. But this will mute the real match behind. We have 2 method to fix it:
- Modify all rules by XXX.*XXX, but its very expensive.
- Clear single match flag for each stream block
What is the hitting rate of rules like, for each packet? How about dropping the unnecessary match results in a packet? This may bring performance damage if hitting rate is very high though.
After use singlematch, we got 10% performance improvement. We have some short rules for web attack detect exactly bring a performance damage, and now we cant identify unnecessary results because we have so many rules. Use singlematch cause some missing check between packets. So,how could i reset the singlematch status,is it possible?
Current Hyperscan cannot easily support single-match flag resetting in streaming mode.
Possible workaround may be like managing the matching results <id, offset> via callback function and implementing single matching behavior for each packet outside Hyperscan.
I agree with this solution to implement custom singlematch in callback, but I worry about the effeciency is not worse and may cause the tradeoff of context switch.