FPGA MATCHING METHOD OF HIGH SPEED SNORT RULE AND YARA RULE BASED ON FPGA

摘要

The present invention relates to an FPGA-based fast snort rule and Yarra rule matching method, comprising: a rule conversion step of converting a snort rule and a yarra rule in a detection rule converter to store a fixed pattern and a PCRE pattern in a memory on a hardware board; A pattern matching step of receiving a packet input from a network based on the converted rule, parsing the packet in a packet FIFO and a fast packet processing module, and performing fixed pattern and PCRE pattern matching, respectively; Receives the header value and payload of the packet from the packet parsing, reconstructs the file, stores it in a memory inside the FPGA, and matches the stored hash values based on the additionally input packet to match the mitigation control signal in the detection result processing module. A hash matching step occurring; And a packet forwarding step of successively generating packet drop and packet forwarding by determining whether to relax the packet by reading the packet from the packet FIFO.