[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openantivirus-developer
Subject:    [Openantivirus-developer] quick pattern search for AV (fwd)
From:       Rainer Link <link () suse ! de>
Date:       2002-05-30 12:16:30
[Download RAW message or body]


Hi folks!

Here's a quite interesting mail from Philippe. As he's not subscribed to
the lists, please keep the CC to him. Thanks.

---------- Forwarded message ----------
Date: Thu, 30 May 2002 10:54:49 +0200 (CEST)
From: Philippe Biondi <biondi@cartel-securite.fr>
To: rainer@openantivirus.org
Subject: quick pattern search for AV

Hi!

I've just discovered that you were founder of the open antivirus team
when I wanted to contact this team :)

I've begun to develop libqsearch. That's a C library aimed to search for
set of patterns in buffers as fast as possible. (It's GPL, btw).

For the moment, it's in beta stage but it's still quite usable, and
developpement goes fast. You can download it at :
http://www.cartel-securite.fr/pbiondi/libqsearch.html

For the moment, it will be used in Prelude Hybrid IDS, but as it is
completely generic, it can be used in antivirus projects that need to do
signatures checks.

The idea is to have an API frontend that give you the ability to load
plugins. Each plugin can provide one or more algorithms. Each algorithm
can be instantiated to one or more search objects.
Then you add patterns to the object (patterns can include \0 (!), and can
be case sensitive or not, include jokers, ..). Then you compile it.
The search object will then be able to searh simultaneously every patterns
(even of heterogeneous types) in a given buffer.
One of the interests is the use of states to summarize a past search.
States are trivially implemented for automata based algorithms, and are
not so hard to implement for other algorithms (if n is the longest
pattern, just keep the n-1 last bytes in the state for the next search).
This give you the ability to match patterns that overlap on 2 buffers
without having to worry about that (TCP reassembly for IDSes is greatly
simplified : no need to move paylods to adjacents zones, no need to keep
a paylod in memory waiting for the next. Benefits for AV that work on
flux could be great too).

For the moment, a simple algorithm that makes the lib usable is
implemented, and a boyer-moore like algorithm that does not do case
insensitive or joker searchs for the moment.
But you can still use the lib, and switch one name once a better algo is
implemented and benefit better speed without changing your implementation.
Some algos will be better for small patterns, other will be
memory-friendly for thousands of patterns, so that you can choose which
one is better (I'm also working on a tester and a benchmarker :)).

If you think it could be of a valuable help for any of the projects headed
by the openantivirus team, tell me what to do.

Best reagards, Phil.


-- 
Philippe Biondi <biondi@ cartel-securite.fr> Cartel Sécurité
Security Consultant/R&D                      http://www.cartel-securite.fr
Phone: +33 1 44 06 97 94                     Fax: +33 1 44 06 97 99
PGP KeyID:3D9A43E2  FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Openantivirus-developer mailing list
Openantivirus-developer@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openantivirus-developer
[prev in list] [next in list] [prev in thread] [next in thread]