According to ATRG: IPS or sk95193 there is a statement about pattern matcher that is a bit ambiguous.
The Pattern Matcher is a fundamental engine within the new enforcement architecture.
- Pattern Matcher quickly identifies harmless packets, common signatures in malicious packets, and does a second level analysis to reduce false positives.
- Pattern Matcher engine provides the ability to find regular expressions on a stream of data using a two tiered inspection process:
- The first tier quickly filters out the vast majority of traffic which is clearly harmless by looking for signatures that are simple to find at a low CPU cost.If the first tier identifies a common attack signature it passes the connection to the second tier to do a second level analysis, thus increasing the confidence that there is indeed an attack.
- The first tier will never decide on its own that a packet is malicious. It can only decide that a packet is clearly harmless.
- The second tier can also be instructed to activate further inspection using INSPECTv2 technology when some patterns are matched.
In my understanding what Pattern Matcher should be doing is eliminate harmless or clean traffic and detect malicious packets. What would be the expected rate of malicious packets found by the first tier compared to the rate of packets that the first tier sends to the second tier in order to pass more complex inspection?
I am under the impression this number clearly estimated and measured. I would however expect this to depend on the type of traffic and be situational and not generic.###