[Snort-devel] Re: FFPF with Snort

Willem de Bruijn wdebruij at ...323...
Mon Feb 21 07:06:44 EST 2005


Hi Chris,

  it's nice to hear you're interested in this. You're right about the 
conference paper. We've executed the tests and they were supposed to go into 
the OSDI paper, but as the variation in results was somewhat high we decided 
to remove it from later drafts. If you want I can try to fetch an older 
version from CVS. 

About the implementation: first of all, a student just started working on 
connecting kernelspace FFPF with userspace applications through libipq. I 
don't know to much about that, but it might be interesting.

The prototype we had running was basically a proof-of-concept hack: we loaded 
the signature-checking algorithm (Aho-Corasick) into kernelspace FFPF and 
hooked snort up to its output using our mmapped libpcap interface. Userspace 
snort didn't have to do any filtering itself, only reporting.

The hack should be streamlined, ofcourse, but it already proved beneficial 
because the memory copy overhead is largely removed. You can find out how 
much it will save you by profiling memory bottlenecks in your current snort 
setup.

I hope this makes it somewhat clear. I'm still quite certain that using Snort+ 
kernelspace FFPF is a great step forward and can be done without too much 
work. Therefore, if you have any questions, just ask.

cheers,

Willem

On Sunday 13 February 2005 23:09, you wrote:
> Willem,
>
> I saw your post in the Snort mailing list a while back
> about FFPF integration with Snort. You made mention of
> a conference papaer where you integrated FFPF with
> Snort. IS that paper available?? I didnt see it on the
> Soureceforge site. How difficult was it to integrate?
> I would love to try this.
>
> Thanks,
>
> --Chris Harrington




More information about the Snort-devel mailing list