[Snort-devel] IXA Port

justin.latham at ...2499... justin.latham at ...2499...
Sun Feb 11 14:23:54 EST 2007


Matt, thanks for the response.  To answer a question from another email, 
the board I'm using is based on the IXP2350, which is a slightly newer 
product, but roughly comparable to the IXP1200. 

I should have been a little more clear on my goals since I know there's 
some big holes...  In general, the concept is that the NP has some extra 
processing cycles to spend while still maintaining line rate.  So, in 
theory it can do some "pre-screening" of packets prior to bridging them 
to the network.  This is not really intended as a replacement for a more 
complete IDS / IPS that can handle more complicated attacks, but is a 
complement that can remove some of the stress on an IDS/IPS system by 
picking out single packets that might be offenders at the router.

I've already written an application that can parse the PCRE and Content 
options of Snort rules and detects single packets that match those 
rules.  I thought one of the additional work projects I could do was 
actually port the Snort detection engine to the IXA SDK and compare 
performance, particularly since my application doesn't support any of 
the header matching, case insensitivity, or other things that Snort can 
do. Justin

Matthew Watchinski wrote:
> To be more helpful I would need additional information on the IXP family
> and what additional chips you plan on using along side it.
>
> But here are some general things to think about.
>
> 1. Stream reassembly.  Most Network Processors don't have the ability to
> reassemble streams they are per packet inspection engines.  This isn't
> that useful in IPS/IDS
>
> 2. Fragmentation support. Some NPC's support this, some don't.
>
> 3. Full Regex Support.  If you don't have regular expression support it
> will be very difficult to support converting any snort rules.
>
> 4. Multi-Ordered Content Matches - If your NPC supports content matching
> does it support functionality like the relative keyword in the snort
> rules language.
>
> Cheers,
> -matt
>
> justin.latham at ...2499... wrote:
>   
>> Hello all,
>> I'm relatively new to Snort, and as part of my master's thesis, I am 
>> going to attempt to port at least the detection engine to an IXA (Intel 
>> Internet Exchange Architecture) network processor appliance.  I am 
>> curious if anybody knows of any previous work done in this area or if 
>> any of the more experienced users have any advice they may want to offer.
>>
>> Thanks,
>> Justin Latham
>>
>> -------------------------------------------------------------------------
>> Using Tomcat but need to do more? Need to support web services, security?
>> Get stuff done quickly with pre-integrated technology to make your job easier.
>> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>
>>     
>
>
>   





More information about the Snort-devel mailing list