Anyone looked into doing hyperscan for pattern matching in Bro? The current pattern matching is very MEH, and it makes me wonder if it might be possible to use hyperscan and a plugin to do more intense pattern matching.
Is there something in particular that you are unable to do that hyperscan would enable?
.Seth
Matching acceleration. Currently, we do not have groups in our regexes in Bro. From a practical point of view, neither does hyperscan. Moving to an accelerated regex matching engine with roughly the same features as the current implementation through flex in bro would allow for more expensive expressions to be rolled out with less overhead. We have seen issues with some moderately intense regular expressions causing giant spikes in load, and pushing it through hyperscan would help alleviate it. I realize this constitutes a major departure from how they are handled currently, but thought if there was interest, we might be able to push it into 2.6 or even as far out as 2.7…