libqsearch 0.8 review
Downloadlibqsearch is a C library aimed to search for set of patterns in buffers as fast as possible
|
|
libqsearch is a C library aimed to search for set of patterns in buffers as fast as possible. It has also been ported to kernel space.
The idea is to have an API frontend that give you the ability to load plugins. Each plugin can provide one or more algorithms. Each algorithm can be instantiated to one or more search objects. Then you add patterns to the object (patterns can include (!), and can be case sensitive or not, include jokers, ..).
Then you compile it. The search object will then be able to search simultaneously every patterns (even of heterogeneous types) in a given buffer. One of the interests is the use of states to summarize a past search.
States are trivially implemented for automata based algorithms, and are not so hard to implement for other algorithms (if n is the longest pattern, just keep the n-1 last bytes in the state for the next search). This give you the ability to match patterns that overlap on 2 buffers without having to worry about that (TCP reassembly for IDSes is greatly simplified : no need to move paylods to adjacents zones, no need to keep a paylod in memory waiting for the next. Benefits for AV that work on flux could be great too).
This API is also implemented for linux kernels. For each algorithm, a wrapper is automatically generated for it to be compiled with the kernel. The API and the algorithms can also be compiled as LKM.
libqsearch 0.8 search tags