Snort mailing list archives
Re: Snort Kernel Module
From: "Josh Berry" <josh.berry () netschematics com>
Date: Mon, 6 Oct 2003 15:15:58 -0500 (CDT)
Mostly I need the performance improvements this would add. Where I work we have some developers, so the cost wouldn't be an issue. We would like to run a linux Intrusion Prevention System with Bridge/Netfilter/Snort-Inline, however, for where we would like to use it, we are worried that the system would not be able to handle the traffic. I been using Bridge/Netfilter/Snort-Inline at home now for some time and have done some testing, but do not think that it could handle the load we would need. If we could get it to perform at a satisfactory level that would allow us to use an open-source solution rather than pay $20,000 to $50,000 for a commercial IPS system.
At 02:04 PM 10/6/2003, Josh Berry wrote:Are there any projects out there that are trying to move snort into the Linux kernel, or as a kernel loadable module. Would this provide any benefits (security, speed, accuracy)?Speed would be improved somewhat. Security would certainly go down very significantly due it increased privileges. (ie: a exploit of the snort code would now give kernel-mode privilege, instead of root or non-root user privilege.)Is there any reason this would not be possible?It's possible, but IMO that's not the point.Would this be incredibly difficult?Yes, it would be difficult as most of the code would require rewrite to use kernel-level memory and IO APIs. Functionality would be limited, since kernel processes don't really have extensive libraries like glibc provides. ie: no more mysql support for sure. It would also be incredibly foolish from a security prespective and it would make snort a linux-specific tool. The kernel should only implement things which belong in the kernel. Moving complex user-space processes into the kernel is dangerous and should only be done with considerable reason to do so. Unlike an application, if a piece of the kernel fails and munges memory, most time the system goes down completely with no graceful shutdown. No disk sync, no nothing.. just oops and crash. If an app munges memory, it just segfaults and gets dumped, but the system keeps running. Also, code running at the kernel level has significantly more privilege than even the root user has. It can touch any memory, or any hardware in the entire system without any restrictions. Even root has to jump through some hoops (ie: loading a module) to do this, and on a well-secured system, even root can't load kernel mode code. (yes, I do use grsecurity patches on my linux boxes and have no loadable module support.)
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Kernel Module Josh Berry (Oct 06)
- Message not available
- Re: Snort Kernel Module Matt Kettler (Oct 06)
- Re: Snort Kernel Module Josh Berry (Oct 06)
- Re: Snort Kernel Module Mark Nipper (Oct 06)
- Re: Snort Kernel Module Jason Haar (Oct 06)
- Re: Snort Kernel Module pieter claassen (Oct 06)
- Re: Snort Kernel Module Josh Berry (Oct 06)
- Re: Snort Kernel Module Matt Kettler (Oct 06)
- Message not available
- <Possible follow-ups>
- Re: Snort Kernel Module Ravi Kumar (Oct 06)
- Re: Snort Kernel Module Dragos Ruiu (Oct 07)
- Re: Snort Kernel Module pieter claassen (Oct 07)
- Re: Snort Kernel Module Dragos Ruiu (Oct 07)