Re: Snort Kernel Module

["Josh Berry" <josh.berry () netschematics com>]

Mostly I need the performance improvements this would add.  Where I work
we have some developers, so the cost wouldn't be an issue.  We would like
to run a linux Intrusion Prevention System with
Bridge/Netfilter/Snort-Inline, however, for where we would like to use it,
we are worried that the system would not be able to handle the traffic.  I
been using Bridge/Netfilter/Snort-Inline at home now for some time and
have done some testing, but do not think that it could handle the load we
would need.  If we could get it to perform at a satisfactory level that
would allow us to use an open-source solution rather than pay $20,000 to
$50,000 for a commercial IPS system.

> At 02:04 PM 10/6/2003, Josh Berry wrote:
> > Are there any projects out there that are trying to move snort into the
> > Linux kernel, or as a kernel loadable module.  Would this provide any
> > benefits (security, speed, accuracy)?
>
> Speed would be improved somewhat.
> Security would certainly go down very significantly due it increased
> privileges. (ie: a exploit of the snort code would now give kernel-mode
> privilege, instead of root or non-root user privilege.)
>
> >   Is there any reason this would not
> > be possible?
>
> It's possible, but IMO that's not the point.
>
> >  Would this be incredibly difficult?
>
> Yes, it would be difficult as most of the code would require rewrite to
> use
> kernel-level memory and IO APIs.
>
> Functionality would be limited, since kernel processes don't really have
> extensive libraries like glibc provides. ie: no more mysql support for
> sure.
>
> It would also be incredibly foolish from a security prespective and it
> would make snort a linux-specific tool.
>
> The kernel should only implement things which belong in the kernel. Moving
> complex user-space processes into the kernel is dangerous and should only
> be done with considerable reason to do so. Unlike an application, if a
> piece of the kernel fails and munges memory, most time the system goes
> down
> completely with no graceful shutdown. No disk sync, no nothing.. just oops
> and crash.
>
> If an app munges memory, it just segfaults and gets dumped, but the system
> keeps running.
>
> Also, code running at the kernel level has significantly more privilege
> than even the root user has. It can touch any memory, or any hardware in
> the entire system without any restrictions. Even root has to jump through
> some hoops (ie: loading a module) to do this, and on a well-secured
> system,
> even root can't load kernel mode code. (yes, I do use grsecurity patches
> on
> my linux boxes and have no loadable module support.)





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users