Optimization #548: Use bloomfilter for filemd5 - Suricata - Open Information Security Foundation

Actions

Copy link

Optimization #548

open

Use bloomfilter for filemd5

Added by David André about 12 years ago. Updated over 1 year ago.

Status:

New

Priority:

Low

Assignee:

Community Ticket

Target version:

TBD

Effort:

low

Difficulty:

medium

Label:

Description

To reduce memory usage, use bloom filters.

Background:
Bloom filters are very memory efficient probabilistic data-structures that dont have false negatives but have false positives.

Pros:
There is already code implemented in suricata source
It is very efficient for blacklists.

Cons:
It might not be efficient for whitelists.

Notes:
Since it has false positives, it would probably be necessary to do a second level validation lookup from data on disk and it will be more expensive.
Implementing through a different keyword (filemd5bloom?) will help avoiding misuse by users.

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Optimization #548

Use bloomfilter for filemd5

Updated by Victor Julien about 12 years ago

Updated by Victor Julien about 12 years ago

Updated by Andreas Herz almost 9 years ago

Updated by Victor Julien almost 9 years ago

Updated by Victor Julien over 6 years ago

Updated by Andreas Herz over 5 years ago

Updated by Philippe Antoine over 1 year ago