On 10/6/06, Chris Buechler <[EMAIL PROTECTED]> wrote:
Scott Ullrich wrote:
> It is a delayed IDS.   Generally an IPS hooks into the network stack
> directly and does not allow the traffic to pass through until its
> scanned.

Yep, sometimes these are called intrusion reaction systems, reactive
firewalls, or other sundry terms.

And generally you probably aren't going to want to hook snort into your
network stack like that, because of the limitations of PC hardware.

You could, theoretically, disable routing, then let the BPF read
packets on one side and inject them on the other.  However, the
performance penalty of moving into userspace, through an application
(scheduler latency), and then out to kernel space again, is probably
prohibitive.  But at least you know when you're hitting your limit
without risking dropped packets.

What you really want to do is be able to load the matching up into the
kernel using some sort of sandboxing so that the complicated decoders
and such don't cause a kernel panic.  Some recent research papers show
that this can be done with a ~17% performance penalty on x86 hardware
with instruction re-writing.  Then you can do all your work without
incurring a copy/remap between kernelspace and userland.
--
"It's not like I'm encrypting... it's just that my communications
developed a massive entropy deficiency." -><-
<URL:http://www.subspacefield.org/~travis/>
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484

Reply via email to