Keyword and regular expressions (Regex) search can be used as an easily adjustable form of deep packet inspection (DPI). This application allows the filtering engine to look deeper into packets. The filtering is based on the content of a packet and not at the superficial information provided by the packet’s headers. Most forms of deep packet inspection are complicated to setup and work-intensive to modify if the format of the packets changes. Keyword and Regex search, on the other hand, is simple to setup and can be modified to fit the requirements. All that needs to be done is to figure out a sequence of characters or a pattern that is found in all the packets and filter based on that.
A keyword can be any sequence of characters, e.g. a word, phrase, number, acronym or (partial) URL. You can use a keyword to categorize packets containing this keyword. Depending on these categorisations you can block packets.
A regular expression is a template or pattern used to find multiple different strings. Regular expressions can be used to identify groups of related URLs in access limiting filters and exceptions from these and as a more flexible form of a keyword to assign URLs to categories for blocking. When you use regular expressions, the filtering units try to match the general pattern rather than a specific, single URL or keyword. Regular expressions match precise terms and are case sensitive.
Keyword Search allows to just filter for a specific sequence of characters, whereas Regex Search allows searching for any pattern defined by the Regex language. This allows searching for many different exact patterns with only one filter. One common usage for Keyword or Regex search is to filter HTTP traffic by URL.
Because of the way Keyword and Regex search work, they need to be done on CPU and are rather processing intensive. The Cubro Sessionmaster can do Keyword or Regex Search for up to 20 Gbit/s with a single CPU module or 40 Gbit/s with two CPU modules.
A government organisation requires an application for massive keyword search and application detection on a large volume of traffic. Having a deep insight into the network empowers the government organization to identify high risk threats and fraudulent activities. Early threat detection can allow the organisation to implement an effective remediation plan.
Cubro Solution – Massive Keyword Search
The Cubro Solution is a combination of Cubro products that worked as a single application.
EXA40 – EXA24160 and EXA48600 – EXA32100
EXA24160 +EX32100 keyword regex
The traffic is tapped as 2 x 100 Gbit links and aggregated.Then the unwanted traffic is filtered out by an EX48600. In the next step the traffic is load balanced to several EXA40Ds or EXA24160s. The EXA does keyword searching for more than 2000 words per unit.Each detected session is tagged and fed back to the EX48600. The EX48600 aggregates the traffic coming from the EXA40D based on the tagging so that all of the traffic is forwarded to the designated output port based on the keyword.