[Snort-devel] IXA Port
dschuff at ...2893...
Mon Feb 12 14:51:02 EST 2007
There has been some work similar to this recently done:
That's a rudimentary IDS implementation on an IXP1200 with TCP flow
reconstruction and Aho-corasick string matching.
There is also a an implementation of Snort on special-purpose NIC
hardware (which is not really like a network processor):
There are plenty of references to related stuff in the academic
literature in those papers, and I probably have even a few more if
justin.latham at ...2499... wrote:
> Matt, thanks for the response. To answer a question from another email,
> the board I'm using is based on the IXP2350, which is a slightly newer
> product, but roughly comparable to the IXP1200.
> I should have been a little more clear on my goals since I know there's
> some big holes... In general, the concept is that the NP has some extra
> processing cycles to spend while still maintaining line rate. So, in
> theory it can do some "pre-screening" of packets prior to bridging them
> to the network. This is not really intended as a replacement for a more
> complete IDS / IPS that can handle more complicated attacks, but is a
> complement that can remove some of the stress on an IDS/IPS system by
> picking out single packets that might be offenders at the router.
> I've already written an application that can parse the PCRE and Content
> options of Snort rules and detects single packets that match those
> rules. I thought one of the additional work projects I could do was
> actually port the Snort detection engine to the IXA SDK and compare
> performance, particularly since my application doesn't support any of
> the header matching, case insensitivity, or other things that Snort can
> do. Justin
More information about the Snort-devel