RangerIDS - Intrusion Detection System (IDS)



Stateful Pattern Matching


Stateful pattern matching offers a slightly more sophisticated approach, since it takes the context of the established session into account, rather than basing its analysis on a single packet. 


Stateful IDS products must consider arrival order of packets in a TCP stream and should handle matching patterns across packet boundaries. Thus, if the exploit string to be matched is foobar, and the exploit is split across two packets, with foo in one and bar in another, the simple packet matching IDS will miss the attack, since it will not be able to match the complete string. The stateful IDS, however, will maintain the session context and reassemble the traffic stream, once again making the complete string available to the detection engine. 


This requires more resources than simple pattern matching, since the IDS now has to allocate large amounts of memory and processing power to track a potentially large number of open sessions for as long as possible. This approach does make IDS evasion that much more difficult, though far from impossible.