An Approach for Unifying Rule Based Deep Packet Inspection

High performance Internet traffic inspection and layer-7 content analysis have become essential functions of high speed networks. Over the past decade several DPI systems have evolved targeting specific issues related to traffic management, user/application policing, intrusion detection/prevention, URL/malicious/unwanted content filtering. Snort, OpenDPI, Bro, L7-filter, ClamAV are a number of open-source tools based on custom DPI engines and custom rule-sets. The surging demand for higher bandwidth DPI systems capable of supporting larger rule-sets requires the use of hardware acceleration and hardware-based systems. In comparison to software based systems, the design and development of custom purpose hardware for DPI is expensive. The need for DPI solutions for a range of applications at high speed requires a unified processing platform. This paper presents the research in converting known DPI rule-sets into a meta format based on regular expressions, that can be executed by software and hardware-based processing platforms. To demonstrate this work a Snort2Regex translator has been developed to transform Snort rules into regular expressions using not only the content of the Snort rule but every relevant element that belongs to it and could increase the accuracy of the analysis.