Project

General

Profile

Actions

Feature #548

open

Use bloomfilter for filemd5

Added by David André about 10 years ago. Updated over 3 years ago.

Status:
New
Priority:
Low
Target version:
Effort:
low
Difficulty:
medium
Label:

Description

To reduce memory usage, use bloom filters.

Background:
Bloom filters are very memory efficient probabilistic data-structures that dont have false negatives but have false positives.

Pros:
There is already code implemented in suricata source
It is very efficient for blacklists.

Cons:
It might not be efficient for whitelists.

Notes:
Since it has false positives, it would probably be necessary to do a second level validation lookup from data on disk and it will be more expensive.
Implementing through a different keyword (filemd5bloom?) will help avoiding misuse by users.

Actions

Also available in: Atom PDF