[Snort-devel] IXA Port

snort user snort.user at ...2499...
Mon Feb 12 12:03:46 EST 2007


Just curious. Did you port some PCRE library to this platform ? or
write from scratch.

Regarding the other part --

It is fairly straightforward to port the snort decoding code into IXP.
However, when it comes to frag reassembly and stream reassembly, it is trickier.

IXP 1200 did not have any support for memory allocation (malloc-like)
and other library functions. I dont know if IXP2350 provides any ..



On 2/11/07, justin.latham at ...2499... <justin.latham at ...2499...> wrote:
> Matt, thanks for the response.  To answer a question from another email,
> the board I'm using is based on the IXP2350, which is a slightly newer
> product, but roughly comparable to the IXP1200.
>
> I should have been a little more clear on my goals since I know there's
> some big holes...  In general, the concept is that the NP has some extra
> processing cycles to spend while still maintaining line rate.  So, in
> theory it can do some "pre-screening" of packets prior to bridging them
> to the network.  This is not really intended as a replacement for a more
> complete IDS / IPS that can handle more complicated attacks, but is a
> complement that can remove some of the stress on an IDS/IPS system by
> picking out single packets that might be offenders at the router.
>
> I've already written an application that can parse the PCRE and Content
> options of Snort rules and detects single packets that match those
> rules.  I thought one of the additional work projects I could do was
> actually port the Snort detection engine to the IXA SDK and compare
> performance, particularly since my application doesn't support any of
> the header matching, case insensitivity, or other things that Snort can
> do. Justin
>
> Matthew Watchinski wrote:
> > To be more helpful I would need additional information on the IXP family
> > and what additional chips you plan on using along side it.
> >
> > But here are some general things to think about.
> >
> > 1. Stream reassembly.  Most Network Processors don't have the ability to
> > reassemble streams they are per packet inspection engines.  This isn't
> > that useful in IPS/IDS
> >
> > 2. Fragmentation support. Some NPC's support this, some don't.
> >
> > 3. Full Regex Support.  If you don't have regular expression support it
> > will be very difficult to support converting any snort rules.
> >
> > 4. Multi-Ordered Content Matches - If your NPC supports content matching
> > does it support functionality like the relative keyword in the snort
> > rules language.
> >
> > Cheers,
> > -matt
> >
> > justin.latham at ...2499... wrote:
> >
> >> Hello all,
> >> I'm relatively new to Snort, and as part of my master's thesis, I am
> >> going to attempt to port at least the detection engine to an IXA (Intel
> >> Internet Exchange Architecture) network processor appliance.  I am
> >> curious if anybody knows of any previous work done in this area or if
> >> any of the more experienced users have any advice they may want to offer.
> >>
> >> Thanks,
> >> Justin Latham
> >>
> >> -------------------------------------------------------------------------
> >> Using Tomcat but need to do more? Need to support web services, security?
> >> Get stuff done quickly with pre-integrated technology to make your job easier.
> >> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> >> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> >> _______________________________________________
> >> Snort-devel mailing list
> >> Snort-devel at lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/snort-devel
> >>
> >>
> >
> >
> >
>
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier.
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>




More information about the Snort-devel mailing list