An Approach for Unifying Rule Based Deep Packet Inspection

High performance Internet traffic inspection and layer-7 content analysis have become essential functions of high speed networks. Over the past decade several DPI systems have evolved targeting specific issues related to traffic management, user/application policing, intrusion detection/prevention, URL/malicious/unwanted content filtering. Snort, OpenDPI, Bro, L7-filter, ClamAV are a number of open-source tools based on custom DPI engines and custom rule-sets. The surging demand for higher bandwidth DPI systems capable of supporting larger rule-sets requires the use of hardware acceleration and hardware-based systems. In comparison to software based systems, the design and development of custom purpose hardware for DPI is expensive and enforces the need for a unified DPI system that can be used for a wide range of DPI applications. This paper presents the research in converting known DPI rule-sets into a meta format based on regular expression, that can be executed by a software and hardware-based processing platforms. To demonstrate this work a Snort2Regex translator has been developed to transform Snort rules into regular expressions using not only the content of the Snort rule but every relevant element that belongs to it and could increase the accuracy of the analysis.