[Snort-devel] Re: FFPF with Snort
Willem de Bruijn
wdebruij at ...323...
Mon Feb 21 07:06:44 EST 2005
it's nice to hear you're interested in this. You're right about the
conference paper. We've executed the tests and they were supposed to go into
the OSDI paper, but as the variation in results was somewhat high we decided
to remove it from later drafts. If you want I can try to fetch an older
version from CVS.
About the implementation: first of all, a student just started working on
connecting kernelspace FFPF with userspace applications through libipq. I
don't know to much about that, but it might be interesting.
The prototype we had running was basically a proof-of-concept hack: we loaded
the signature-checking algorithm (Aho-Corasick) into kernelspace FFPF and
hooked snort up to its output using our mmapped libpcap interface. Userspace
snort didn't have to do any filtering itself, only reporting.
The hack should be streamlined, ofcourse, but it already proved beneficial
because the memory copy overhead is largely removed. You can find out how
much it will save you by profiling memory bottlenecks in your current snort
I hope this makes it somewhat clear. I'm still quite certain that using Snort+
kernelspace FFPF is a great step forward and can be done without too much
work. Therefore, if you have any questions, just ask.
On Sunday 13 February 2005 23:09, you wrote:
> I saw your post in the Snort mailing list a while back
> about FFPF integration with Snort. You made mention of
> a conference papaer where you integrated FFPF with
> Snort. IS that paper available?? I didnt see it on the
> Soureceforge site. How difficult was it to integrate?
> I would love to try this.
> --Chris Harrington
More information about the Snort-devel