On 10/6/06, Chris Buechler <[EMAIL PROTECTED]> wrote:
Scott Ullrich wrote: > It is a delayed IDS. Generally an IPS hooks into the network stack > directly and does not allow the traffic to pass through until its > scanned.
Yep, sometimes these are called intrusion reaction systems, reactive firewalls, or other sundry terms.
And generally you probably aren't going to want to hook snort into your network stack like that, because of the limitations of PC hardware.
You could, theoretically, disable routing, then let the BPF read packets on one side and inject them on the other. However, the performance penalty of moving into userspace, through an application (scheduler latency), and then out to kernel space again, is probably prohibitive. But at least you know when you're hitting your limit without risking dropped packets. What you really want to do is be able to load the matching up into the kernel using some sort of sandboxing so that the complicated decoders and such don't cause a kernel panic. Some recent research papers show that this can be done with a ~17% performance penalty on x86 hardware with instruction re-writing. Then you can do all your work without incurring a copy/remap between kernelspace and userland. -- "It's not like I'm encrypting... it's just that my communications developed a massive entropy deficiency." -><- <URL:http://www.subspacefield.org/~travis/> GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
