[Snort-devel] Re: an indictment of my protocol engine proposal

Todd Lewis tlewis at ...255...
Fri Apr 13 02:14:53 EDT 2001

On Mon, 9 Apr 2001, Todd Lewis wrote:

> The protocol engine mechanism I propose is too heavyweight.

And now for another episode of The Young, The Restless, and The Foolish.

Jon Ramsey, SecureWorks' head of development, is a wonderful and talented
developer, trained at one of the pretigous CS schools of the great white
north, while I am a redneck sysadmin from the back woods of Alabama.
Ever since I have known him, I have given Jon no end of grief for
over-engineering everything.  "It's all duct-tape anyway, Jon, so you
might as well treat it as such."  "Why are you coding that in C when a
zsh script would do the job?"

Well, on Tuesday, I had that exact same argument thrown right back in
my face over the rule system.  This whole notion of a hybrid protocol
engine/protocol description language design is very, very much more
complicated than my original protocol engine proposal.  Further, it's
an optimization to solve a problem that hasn't even been confirmed.
I asked Jon, "So what you're saying is that I should stop trying to
make it perfect and just go with what I have, because it's good enough?"
He responded, "Isn't that what you would tell me to do?"

As usual, he was exactly right.  No proposal is perfect, but with
my half-baked language-based counter-proposal, I am allowing my
desire to expose my proposal to criticism to overwhelm a good design.
A language-based design would be much more difficult, and it's not at
all clear that the end result would be any better.  I am proceding with
my original protocol engine proposal.

I will be on vacation with family next week, and during that time I plan
to take my proposal that I've submitted to the list and complete it.
The final version of the document will include my own reservations
about the proposal so that they're on the record for future reference.

If time permits, then I plan to start work on a prototype implementation;
if not, then I will start when I get back.  For the prototype, I plan
to implement a non-optimized matcher and a small set of protocol engines
with a few supported operations.  Perhaps something like this:

	s/d mac address matching
	ethernet proto matching
ip (rfc-791)
	s/d address matching
	ttl matching
	ip proto matching
udp (rfc-768)
	s/d port matching
	length matching
icmp (rfc-792)
	type matching
	code matching

(N.b., except for IP address matching, which will support masks, the
rest of these will be integer ranges.  That means that they can share
syntax and data structures, ergo they can share a decoder routine,
which will be very nice.)

I will also be adapting the paengine interface to use the dg datastructure
and will port one of the paengines, probably pcap, to the new interface.
I will then run some traffic through this system, profile the results,
and share them and the code with the developer community.

I also plan to draw up some specifications for different protocol engines
and the operations they might support.  (The above list is incomplete for
most of the protocols I list and is not detailed enough.)  This should
be a good starting point for people who want to write protocol engines.
These little babies will, I predict, be very fun pieces of code to own,
and so if anyone wants to go ahead and mark their territory around a
pe that they would like to write, then I encourage you to announce your
intentions to snort-devel.  I'd love to work with someone to write a pe
or two during the prototype stage to get a reality check on how reasonable
and understandable the proposal is for people other than me.

Based on my experience with the prototype, there will probably be some
changes to the proposal, but I have a good feeling that the basic proposal
is pretty solid.  Time will tell.

At that point, I think that my proposal will be ready to be stacked up
against any competing proposals (including maintaining the present core)
for the 2.0 effort.  If we do decide that we want to go with my proposal,
then we will be in good shape to do so on a fast basis, confident that
we understand what we're getting ourselves into.

So, pay no attention to the bumbling man behind the curtain.  Let those
scathing criticisms of my original proposal fly.

Todd Lewis
tlewis at ...255...

More information about the Snort-devel mailing list