Snort mailing list archives
Kernel space Snort. Proof of concept test succeeded.
From: Willem de Bruijn <wdebruij () dds nl>
Date: Tue, 31 Aug 2004 18:56:07 +0200
Hi, I recently read a topic on the mailing list dd june 14th, 2004 in which you discussed pushing snort into the kernel. For reference, here's the cached version: http://archives.neohapsis.com/archives/snort/2004-06/0348.html. While the points that coding for the kernel is (1) seriously different from userspace and (2) more error-prone are valid, there is another option. Hereby I'm shamelessly going to push a piece of work I am involved in, but I wouldn't have done it if I hadn't thought there'd be anything to gain for you guys ;) At the Universiteit Leiden we've been working on the Fairly Fast Packet Filter (FFPF), which allows filtering to be done both in userspace and in the kernel. While coding the framework itself to work in both environments was quite hard, writing cross-space filters is fairly straightforward, as difficult stuff is not handled by the filters themselves. Also, backward compatibility is ensured by writing a new libpcap backend. Therefore snort can work out of the box with FFPF. As for filters. we've already ported Aho-Corasick and Boyer-Moore-Horspool, a sampler, etc.. For a conference paper we've pitted snort with BMH in the kernel against regular snort and found quite considerable increases in efficiency (some 50% less CPU utilization with an older version of the software, better results are surely obtainable). In general, filtering packets in the kernel will save you many memory copies and context switches, as most packets will not have to traverse the kernelspace/userspace boundary. Manually rewriting snort to work in the kernel will take a lot of time, however. Therefore, I think that, if you are looking for a simple way to try out snort in the kernel, have a look at FFPF (at ffpf.sourceforge.net). We'll have an OSDI conference paper out shortly and if time permits I'll add more information regarding IDS/IPS to the website. If you're interested please drop me an email. Oh, and I'm not a member of the list, so please CC me personally with your comments (if any). cheers, Willem -- Willem de Bruijn +31 6 2695 2446 wdebruij_at_dds.nl http://www.wdebruij.dds.nl/ ------------------------------------------------------- This SF.Net email is sponsored by: thawte's Crypto Challenge Vl Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam Camcorder. More prizes in the weekly Lunch Hour Challenge. Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Kernel space Snort. Proof of concept test succeeded. Willem de Bruijn (Sep 14)
- Re: Kernel space Snort. Proof of concept test succeeded. Alex Butcher, ISC/ISYS (Sep 15)
- Re: Kernel space Snort. Proof of concept test succeeded. Willem de Bruijn (Sep 15)
- Re: Kernel space Snort. Proof of concept test succeeded. Alex Butcher, ISC/ISYS (Sep 15)
- Re: Kernel space Snort. Proof of concept test succeeded. Willem de Bruijn (Sep 15)
- Re: Kernel space Snort. Proof of concept test succeeded. Willem de Bruijn (Sep 15)
- Re: Kernel space Snort. Proof of concept test succeeded. Alex Butcher, ISC/ISYS (Sep 15)