Writing Stateful Rules

Stateful matching improves the accuracy of detection because it adds ordering when specifying behaviors across multiple matching events. State transitions in the P-Series follow a non-cyclic pattern; no state transitions may erase any of the previous states. New state transitions are simply recorded via a non-destructive, additive operation.

As new states are produced, they are bitwise OR-ed” with the current states contained in the per-flow register Cf., which is 16 bits wide. This method is different from stateful matching in software systems, where old state is removed after a set amount of time. It allows a deterministic wire-speed state management algorithm while guaranteeing that no match events are ever lost due to resource constraints.

Figure 38 shows the state matching algorithm. Note that the only time some state is erased is in the case of a timeout.

Figure 38 State Management Algorithm

New Packet

Calculate Cf

Address

Cf

 

Timed out

yes

 

Bitwise OR

Cf new state

New Flow

C[0]=1

yes

Update Cf

fn9000017

Stateful Matching

Each signature i contains a pattern matching expression mi that is compared to the incoming data stream in real time (time t). In addition, each signature may contain - at your discretion - three values, s, c, and r, which respectively specify:

The pre-match state condition necessary for the signature to match (in addition to mi)

The post-match state condition applied after the signature has matched

A directive indicating what to do with the matched packet

The s and c values are used to manage a per-flow register Cf, where the subscript f is the flow, or sub-stream,and the r value is used to direct the packet storage.

68

Writing Rules

Page 67 Page 69
Page 68
Image 68
Force10 Networks 100-00055-01 manual Writing Stateful Rules, Stateful Matching
Page 67 Page 69
Top Page Image Contents