Optimization #548
openUse bloomfilter for filemd5
Description
To reduce memory usage, use bloom filters.
Pros:
There is already code implemented in suricata source
It is very efficient for blacklists.
Cons:
It might not be efficient for whitelists.
Notes:
Since it has false positives, it would probably be necessary to do a second level validation lookup from data on disk and it will be more expensive.
Implementing through a different keyword (filemd5bloom?) will help avoiding misuse by users.
Updated by Victor Julien over 11 years ago
I think it could make sense for performance, but not for reducing memory. As you mentioned, after a bloom match you will still need to do a validation step. We can't do that from disk, it would be too slow.
Updated by Victor Julien over 11 years ago
- Assignee set to Anonymous
- Target version set to TBD
Performance seems to be OK with the current code as well btw.
Updated by Andreas Herz over 8 years ago
Victor Julien wrote:
Performance seems to be OK with the current code as well btw.
Worth closing the ticket?
Updated by Victor Julien over 8 years ago
No I changed my mind a bit, think it would be interesting to look into this. Still low priority though.
Updated by Victor Julien almost 6 years ago
- Effort set to low
- Difficulty set to medium
Updated by Philippe Antoine 9 months ago
- Tracker changed from Feature to Optimization