Detecting network traffic content

摘要

A device for detecting network traffic content is provided. The device includes a memory configured for storing one or more signatures, each of the one or more signatures associated with content desired to be detected, and 5 defined by one or more predicates. The device a/so includes a processor configured to receive data associated with network traffic content, execute one or more instructions based on the one or more signatures and the data, and determine whether the network traffic content matches the content desired to be detected.

主权项

1. A device for detecting network traffic content, the device comprising:
a memory configured for storing one or more signatures, each of the one or more signatures associated with content desired to be detected, and defined by one or more predicates; a processor configured to receive data associated with network traffic content, execute one or more instructions based on the one or more signatures and the data, and determine whether the network traffic content matches the content desired to be detected; a compiler connected to the memory, the compiler configured to translate the one or more signatures into a machine language and to store compiled signatures in the memory; a network traffic content processing module, executable by the processor, to receive data associated with network traffic content, apply instructions based on the one or more signatures and the data, and determine whether the network traffic content matches the content desired to be detected; a network traffic flow management module to manage flow of the network traffic, the management including redirecting the network traffic content when the network traffic content processing module identifies network traffic content including content desired to be detected, the redirecting including passing a copy of the network traffic content to a stack, passing at least a portion of the network traffic content to the processor to determine whether the at least a portion of the network traffic content contains undesirable content, signal the stack to release the copy to the user when the processor identifies no undesirable content, and signaling the stack to delete the copy when the processor identifies undesirable content; and wherein the network traffic content is received and transmitted via a plurality of wire-based network ports of the device and signatures are received via a, wire-based network port of the device, the wire-based network port that receives the signatures is a distinct wire-based port from the plurality of wire-based network ports that receive and transmit the network traffic content, and the network traffic content is communicated over a different network than then signatures.