Filter
Top Products
68 Writing Rules
Writing Stateful Rules
Stateful matching improves the accuracy of detection because it adds ordering when specifying behaviors
across multiple matching events. State transitions in the P-Series follow a non-cyclic pattern; no state
transitions may erase any of the previous states. New state transitions are simply recorded via a
non-destructive, additive operation.
As new states are produced, they are bitwise “OR-ed” with the current states contained in the per-flow
register C
f
., which is 16 bits wide. This method is different from stateful matching in software systems,
where old state is removed after a set amount of time. It allows a deterministic wire-speed state
management algorithm while guaranteeing that no match events are ever lost due to resource constraints.
Figure 38 shows the state matching algorithm. Note that the only time some state is erased is in the case of
a timeout.
Figure 38 State Management Algorithm
New Packet
Calculate Cf
Address
Bitwise OR
Cf | new state
Update Cf
Cf
Timed out
New Flow
yes
yes
fn9000017
C[0]=1
Stateful Matching
Each signature i contains a pattern matching expression m
i
that is compared to the incoming data stream in
real time (time t). In addition, each signature may contain - at your discretion - three values, s, c, and r,
which respectively specify:
• The pre-match state condition necessary for
the signature to match (in addition to m
i
)
• The post-match state condition applied after the signature has
matched
• A directive indicating what to
do with the matched packet
The s an
d c values are used to manage a per-flow register C
f
, where the subscript f is the flow, or
sub-stream, and the r value is used to direct the packet storage.