[Snort-users] Kernel space Snort. Proof of concept test succeeded.

Willem de Bruijn wdebruij at ...1580...
Tue Sep 14 08:56:22 EDT 2004


Hi,

  I recently read a topic on the mailing list dd june 14th, 2004 in which you 
discussed pushing snort into the kernel. For reference, here's the cached 
version: http://archives.neohapsis.com/archives/snort/2004-06/0348.html.

  While the points that coding for the kernel is (1) seriously different from 
userspace and (2) more error-prone are valid, there is another option. Hereby 
I'm shamelessly going to push a piece of work I am involved in, but I 
wouldn't have done it if I hadn't thought there'd be anything to gain for you 
guys ;)

  At the Universiteit Leiden we've been working on the Fairly Fast Packet 
Filter (FFPF), which allows filtering to be done both in userspace and in the 
kernel. While coding the framework itself to work in both environments was 
quite hard, writing cross-space filters is fairly straightforward, as 
difficult stuff is not handled by the filters themselves. Also, backward 
compatibility is ensured by writing a new libpcap backend. Therefore snort 
can work out of the box with FFPF.

As for filters. we've already ported Aho-Corasick and Boyer-Moore-Horspool, a 
sampler, etc.. For a conference paper we've pitted snort with BMH in the 
kernel against regular snort and found quite considerable increases in 
efficiency (some 50% less CPU utilization with an older version of the 
software, better results are surely obtainable). 

  In general, filtering packets in the kernel will save you many memory copies 
and context switches, as most packets will not have to traverse the 
kernelspace/userspace boundary. Manually rewriting snort to work in the 
kernel will take a lot of time, however.

  Therefore, I think that, if you are looking for a simple way to try out 
snort in the kernel, have a look at FFPF (at ffpf.sourceforge.net). We'll 
have an OSDI conference paper out shortly and if time permits I'll add more 
information regarding IDS/IPS to the website. If you're interested please 
drop me an email. Oh, and I'm not a member of the list, so please CC me 
personally with your comments (if any).

cheers,

  Willem
-- 
Willem de Bruijn
+31 6 2695 2446
wdebruij_at_dds.nl
http://www.wdebruij.dds.nl/




More information about the Snort-users mailing list