[Snort-devel] IXA Port

dschuff dschuff at ...2893...
Mon Feb 12 14:51:02 EST 2007


There has been some work similar to this recently done:
http://www.cs.vu.nl/~herbertb/papers/cardguard_raid05.pdf

That's a rudimentary IDS implementation on an IXP1200 with TCP flow 
reconstruction and Aho-corasick string matching.
There is also a an implementation of Snort on special-purpose NIC 
hardware (which is not really like a network processor):
http://web.ics.purdue.edu/~dschuff/schuff-ipdps07.pdf

There are plenty of references to related stuff in the academic 
literature in those papers, and I probably have even a few more if 
you're interested.

-derek

justin.latham at ...2499... wrote:
> Matt, thanks for the response.  To answer a question from another email, 
> the board I'm using is based on the IXP2350, which is a slightly newer 
> product, but roughly comparable to the IXP1200. 
> 
> I should have been a little more clear on my goals since I know there's 
> some big holes...  In general, the concept is that the NP has some extra 
> processing cycles to spend while still maintaining line rate.  So, in 
> theory it can do some "pre-screening" of packets prior to bridging them 
> to the network.  This is not really intended as a replacement for a more 
> complete IDS / IPS that can handle more complicated attacks, but is a 
> complement that can remove some of the stress on an IDS/IPS system by 
> picking out single packets that might be offenders at the router.
> 
> I've already written an application that can parse the PCRE and Content 
> options of Snort rules and detects single packets that match those 
> rules.  I thought one of the additional work projects I could do was 
> actually port the Snort detection engine to the IXA SDK and compare 
> performance, particularly since my application doesn't support any of 
> the header matching, case insensitivity, or other things that Snort can 
> do. Justin
> 





More information about the Snort-devel mailing list