We have just released Hyperscan 4.5.1 on GitHub.
This is a bugfix release. After we released 4.5 last week, a few things were discovered that required fixes.
>From the change log for this release:
- Bugfix for issue #56: workaround for gcc-4.8 C++11 defect.
- Bugfix for literal matching table generation, reversing a regression in
performance for some literal matching cases.
- Bugfixes for hsbench, related to multicore benchmarking, portability fixes
for FreeBSD, and clarifying output results.
- CMake: removed a duplicate else branch that causes very recent (v3.9) builds
of CMake to fail.
I have evaluated one of the hardware PME. It allows a set of pattern-ids
can be grouped,.can be submitted to single PME instance and allows packet
payload submission with that id.
HTTP Request Header Patterns
/User-Agent/m set=1 subset=1 id=123
/Host/m set=1 subset=1 id=124
HTTP Response Header Patterns (set=2).
/Conent-Length/m set=2 subset=1 id=201
/200 OK HTTP/m set=2 subset=1 id=201
We could submit packet data with set and subset onto PME.(i.e HTTP Request
Header will be submitted with set=1 subset=1 and HTTP Response header with
set=2 and subset=1). Scan happens only specific set and subset that is
Is this kind of feature available with hyperscan?
Do we have grouping of patterns? (i.e pushing patterns with setid or group
id and data scanning only on specific set)
Let's have HTTP(1K patterns), FTP(500 patterns), SMTP(400 patterns) and PDF
file patterns(2k patterns) and we want make use of single instance of
hyperscan. If we submit HTTP data to hyperscan it should check only HTTP
I am new bee to hyperscan,. Is there any limit for pushing patterns in
Will it be possible to group patterns (e.g HTTP patterns set, FTP Patterns
set etc,.) on an single instance of hyperscan?
We have just released Hyperscan v4.5.0 on Github.
The changelog is quite long for this release.
In addition to two new features - approximate matching, and support for AVX-512 instructions - there has been a significant improvement to pattern compilation times in this release, which leads to reduced compile times for many large pattern sets.
The changelog for this release is:
## [4.5.0] 2017-06-09
- New API feature: approximate matching using the "edit distance" extended
parameter. This allows the user to request all matches that are a given edit
distance from an exact match for a pattern.
- Initial support for Intel(R) Advanced Vector Extensions 512 (Intel(R)
AVX-512), disabled by default. To enable it, pass `-DBUILD_AVX512=1` to
- Major compile time improvements in many subsystems, reducing compile time
significantly for many large pattern sets.
- Internal reworking of literal matchers to operate on literals of at
most eight characters, with subsequent confirmation done in the Rose
interpreter. This reduces complexity and bytecode size and improves
performance for many pattern sets.
- Improve performance of the FDR literal matcher front end.
- Improve bucket assignment and other heuristics governing the FDR literal
- Improve optimisation passes that take advantage of extended parameter
constraints (`min_offset`, etc).
- Introduce further lookaround specialisations to improve scanning performance.
- Optimise Rose interpreter construction to reduce the length of programs
generated in some situations.
- Remove the old "Rose" pattern decomposition analysis pass in favour of the
new "Violet" pass introduced in Hyperscan 4.3.0.
- In streaming mode, allow exhaustion (where the stream can no longer produce
matchers) to be detected in more situations, improving scanning performance.
- Improve parsing of control verbs (such as `(*UTF8)`) that can only occur at
the beginning of the pattern. Combinations of supported verbs in any order
are now permitted.
- Update version of PCRE used by testing tools as a syntax and semantic
reference to PCRE 8.40.
- Tuning support for Intel(R) microarchitecture code names Skylake, Skylake
- CMake: when building a native build with a version of GCC that doesn't
recognise the host compiler, tune for the microarch selected by
- CMake: don't fail if SQLite (which is only required to build the `hsbench`
tool) is not present.
- CMake: detect libc++ directly and use that to inform the Boost version
- Bugfix for issue #51: make the fat runtime build wrapper less fragile.
- Bugfix for issues #46, #52: use `sqlite3_errmsg()` to allow SQLite 3.6.x to
be used. Thanks to @EaseTheWorld for the PR.
I am trying to evaluate hyperscan tool (hsbench), I tried to push more than
6K (10K,20K etc,.) expressions onto hyperscan using hsbench,. I didnt
received any error, but expression count it is showing as 6000 (6k).
Is there any limit on expression count.