No subject


Thu Nov 23 16:36:19 EST 2017


Oct  6 15:07:17 ids1 kernel: eth1: Promiscuous mode enabled.
Oct  6 15:07:17 ids1 snort: OpenPcap() device eth1 network lookup:
^Ieth1: no IPv4 address assigned
Oct  6 15:07:17 ids1 snort: FATAL ERROR: OpenPcap() FSM compilation
failed:  ^IPCAP command: %s
Oct  6 15:07:17 ids1 snortd: snort startup failed

************************************************************************

Thanks in advance,

Mike

 Mike Koponick
 RedHawk. - Network Engineering
 mike at ...7385...

 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify
 security at ...9202...
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



--__--__--

Message: 6
Subject: Re: [Snort-users] Snort Kernel Module
From: pieter claassen <pieter at ...9950...>
To: Matt Kettler <mkettler at ...4108...>
Cc: Josh Berry <josh.berry at ...10221...>,
snort-users at lists.sourceforge.net
Date: Tue, 07 Oct 2003 00:25:44 +0100

Most points raised I do believe are valid. However, what about the
possibilities on embedded devices that don't have any need for multi
user environments (separation of kernel and user space)?

Pieter

On Mon, 2003-10-06 at 22:07, Matt Kettler wrote:
> At 02:04 PM 10/6/2003, Josh Berry wrote:
> >Are there any projects out there that are trying to move snort into the
> >Linux kernel, or as a kernel loadable module.  Would this provide any
> >benefits (security, speed, accuracy)?
> 
> Speed would be improved somewhat.
> Security would certainly go down very significantly due it increased 
> privileges. (ie: a exploit of the snort code would now give kernel-mode 
> privilege, instead of root or non-root user privilege.)
> 
> >   Is there any reason this would not
> >be possible?
> 
> It's possible, but IMO that's not the point.
> 
> >  Would this be incredibly difficult?
> 
> Yes, it would be difficult as most of the code would require rewrite to
use 
> kernel-level memory and IO APIs.
> 
> Functionality would be limited, since kernel processes don't really have 
> extensive libraries like glibc provides. ie: no more mysql support for
sure.
> 
> It would also be incredibly foolish from a security prespective and it 
> would make snort a linux-specific tool.
> 
> The kernel should only implement things which belong in the kernel. Moving

> complex user-space processes into the kernel is dangerous and should only 
> be done with considerable reason to do so. Unlike an application, if a 
> piece of the kernel fails and munges memory, most time the system goes
down 
> completely with no graceful shutdown. No disk sync, no nothing.. just oops

> and crash.
> 
> If an app munges memory, it just segfaults and gets dumped, but the system

> keeps running.
> 
> Also, code running at the kernel level has significantly more privilege 
> than even the root user has. It can touch any memory, or any hardware in 
> the entire system without any restrictions. Even root has to jump through 
> some hoops (ie: loading a module) to do this, and on a well-secured
system, 
> even root can't load kernel mode code. (yes, I do use grsecurity patches
on 
> my linux boxes and have no loadable module support.)
> 
> 
> 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- 
pieter claassen <pieter at ...9950...>



--__--__--

Message: 7
Date: Mon, 6 Oct 2003 18:29:36 -0500
From: Mark Nipper <nipsy at ...5072...>
To: Josh Berry <josh.berry at ...10221...>
Cc: Matt Kettler <mkettler at ...4108...>,
	snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort Kernel Module

On 06 Oct 2003, Josh Berry wrote:
> Mostly I need the performance improvements this would add.  Where I work
> we have some developers, so the cost wouldn't be an issue.  We would like
> to run a linux Intrusion Prevention System with
> Bridge/Netfilter/Snort-Inline, however, for where we would like to use it,
> we are worried that the system would not be able to handle the traffic.  I
> been using Bridge/Netfilter/Snort-Inline at home now for some time and
> have done some testing, but do not think that it could handle the load we
> would need.  If we could get it to perform at a satisfactory level that
> would allow us to use an open-source solution rather than pay $20,000 to
> $50,000 for a commercial IPS system.

	Out of curiosity, are you using ebtables
(http://ebtables.sourceforge.net/) to do this in the Linux
kernel?  I'm using OpenBSD and Snort currently to do this, but
I'm using Snort passively (not inline) so there is a second or so
of delay and some packets do get through.  I was just wondering
if the ebtables stuff in Linux (netfilter over a bridge) was
actually mostly stable.

	For what it's worth, the biggest issue seems to be how
well the box can hold up based on very small packets per second.
If you can maintain high rates of throughput with very small
packets, then your box should be a success.  Also, gigabit
interfaces tend to perform better under these kinds of loads,
even on 100Mbps connections, so buy some Intel gigabit desktop
adapters and see if it helps.

	What I'd really like to see is a box that works fully at
layer 7 like a Packeteer (http://www.packeteer.com/) but didn't
cost $25k and actually worked under heavy loads (which our
Packeteers seem to have problems doing).

-- 
Mark Nipper                                                e-contacts:
Computing and Information Services                      nipsy at ...5072...
Texas A&M University                        http://ops.tamu.edu/nipsy/
College Station, TX 77843-3142     AIM/Yahoo: texasnipsy ICQ: 66971617
(979)575-3193                                      MSN: nipsy at ...5072...

-----BEGIN GEEK CODE BLOCK-----
GG/IT d- s++:+ a-- C++$ UBL+++$ P--->+++ L+++$ E---
W++ N+ o K++ w(---) O++ M V(--) PS+++(+) PE(--) Y+
PGP++(+) t 5 X R tv b+++ DI+(++) D+ G e h r++ y+(**)
------END GEEK CODE BLOCK------

---begin random quote of the moment---
"If the fool would persist in his folly he would become wise."
 -- one of the Proverbs of Hell from William Blake's _The
    Marraige of Heaven and Hell_, 1789-1790
----end random quote of the moment----



--__--__--

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest

------_=_NextPart_001_01C38C6E.9D9FE9A0
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version 5.5.2654.45">
<TITLE>Snort - ACID Displays NO data on IE</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>After I setup everything as in the instruction list, I ca=
n't see any data display on my IE <A HREF=3D"http://localhost/acid/acid_mai=
n.php" TARGET=3D"_blank">http://localhost/acid/acid_main.php</A>.</FONT></P>

<P><FONT SIZE=3D2>The IE just displays the template with NO data (like TCP,=
 ICMP or UDP traffic).</FONT>
</P>

<P><FONT SIZE=3D2>How do troubleshoot on this ?</FONT>
</P>

<P><FONT SIZE=3D2>I am using Snort 2.0.1.</FONT>
</P>

<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: snort-users-request at lists.sourceforge.net [<A HREF=
=3D"mailto:snort-users-request at lists.sourceforge.net">mailto:snort-users-re=
quest at lists.sourceforge.net</A>] </FONT>
<BR><FONT SIZE=3D2>Sent: Tuesday, October 07, 2003 7:48 AM</FONT>
<BR><FONT SIZE=3D2>To: snort-users at lists.sourceforge.net</FONT>
</P>

<P><FONT SIZE=3D2>Send Snort-users mailing list submissions to</FONT>
<BR>        <FONT SIZE=3D2>snort-users at ...2902...=
ists.sourceforge.net</FONT>
</P>

<P><FONT SIZE=3D2>To subscribe or unsubscribe via the World Wide Web, visit=
</FONT>
<BR>        <FONT SIZE=3D2><A HREF=3D"ht=
tps://lists.sourceforge.net/lists/listinfo/snort-users" TARGET=3D"_blank">h=
ttps://lists.sourceforge.net/lists/listinfo/snort-users</A></FONT>
<BR><FONT SIZE=3D2>or, via email, send a message with subject or body 'help=
' to</FONT>
<BR>        <FONT SIZE=3D2>snort-users-r=
equest at lists.sourceforge.net</FONT>
</P>

<P><FONT SIZE=3D2>You can reach the person managing the list at</FONT>
<BR>        <FONT SIZE=3D2>snort-users-a=
dmin at lists.sourceforge.net</FONT>
</P>

<P><FONT SIZE=3D2>When replying, please edit your Subject line so it is mor=
e specific</FONT>
<BR><FONT SIZE=3D2>than "Re: Contents of Snort-users digest..."</=
FONT>
</P>
<BR>

<P><FONT SIZE=3D2>Today's Topics:</FONT>
</P>

<P><FONT SIZE=3D2>   1. Re: Snort Kernel Module (Matt Kettler)</F=
ONT>
<BR><FONT SIZE=3D2>   2. NIDS test steps (twig les)</FONT>
<BR><FONT SIZE=3D2>   3. Re: Snort Kernel Module (Josh Berry)</FO=
NT>
<BR><FONT SIZE=3D2>   4. RE: Can we send email using Outlook as t=
he smtp server with ACID? (Michael Steele)</FONT>
<BR><FONT SIZE=3D2>   5. Remote Syslog... (Mike Koponick)</FONT>
<BR><FONT SIZE=3D2>   6. Re: Snort Kernel Module (pieter claassen=
)</FONT>
<BR><FONT SIZE=3D2>   7. Re: Snort Kernel Module (Mark Nipper)</F=
ONT>
</P>

<P><FONT SIZE=3D2>--__--__--</FONT>
</P>

<P><FONT SIZE=3D2>Message: 1</FONT>
<BR><FONT SIZE=3D2>Date: Mon, 06 Oct 2003 17:07:10 -0400</FONT>
<BR><FONT SIZE=3D2>To: "Josh Berry" <josh.berry at ...10221...&gt=
;,</FONT>
<BR><FONT SIZE=3D2>   snort-users at lists.sourceforge.net</FONT>
<BR><FONT SIZE=3D2>From: Matt Kettler <mkettler at ...4108...></FONT>
<BR><FONT SIZE=3D2>Subject: Re: [Snort-users] Snort Kernel Module</FONT>
</P>

<P><FONT SIZE=3D2>At 02:04 PM 10/6/2003, Josh Berry wrote:</FONT>
<BR><FONT SIZE=3D2>>Are there any projects out there that are trying to =
move snort into the</FONT>
<BR><FONT SIZE=3D2>>Linux kernel, or as a kernel loadable module.  =
Would this provide any</FONT>
<BR><FONT SIZE=3D2>>benefits (security, speed, accuracy)?</FONT>
</P>

<P><FONT SIZE=3D2>Speed would be improved somewhat.</FONT>
<BR><FONT SIZE=3D2>Security would certainly go down very significantly due =
it increased </FONT>
<BR><FONT SIZE=3D2>privileges. (ie: a exploit of the snort code would now g=
ive kernel-mode </FONT>
<BR><FONT SIZE=3D2>privilege, instead of root or non-root user privilege.)<=
/FONT>
</P>

<P><FONT SIZE=3D2>>   Is there any reason this would not</FONT>
<BR><FONT SIZE=3D2>>be possible?</FONT>
</P>

<P><FONT SIZE=3D2>It's possible, but IMO that's not the point.</FONT>
</P>

<P><FONT SIZE=3D2>>  Would this be incredibly difficult?</FONT>
</P>

<P><FONT SIZE=3D2>Yes, it would be difficult as most of the code would requ=
ire rewrite to use </FONT>
<BR><FONT SIZE=3D2>kernel-level memory and IO APIs.</FONT>
</P>

<P><FONT SIZE=3D2>Functionality would be limited, since kernel processes do=
n't really have </FONT>
<BR><FONT SIZE=3D2>extensive libraries like glibc provides. ie: no more mys=
ql support for sure.</FONT>
</P>

<P><FONT SIZE=3D2>It would also be incredibly foolish from a security presp=
ective and it </FONT>
<BR><FONT SIZE=3D2>would make snort a linux-specific tool.</FONT>
</P>

<P><FONT SIZE=3D2>The kernel should only implement things which belong in t=
he kernel. Moving </FONT>
<BR><FONT SIZE=3D2>complex user-space processes into the kernel is dangerou=
s and should only </FONT>
<BR><FONT SIZE=3D2>be done with considerable reason to do so. Unlike an app=
lication, if a </FONT>
<BR><FONT SIZE=3D2>piece of the kernel fails and munges memory, most time t=
he system goes down </FONT>
<BR><FONT SIZE=3D2>completely with no graceful shutdown. No disk sync, no n=
othing.. just oops </FONT>
<BR><FONT SIZE=3D2>and crash.</FONT>
</P>

<P><FONT SIZE=3D2>If an app munges memory, it just segfaults and gets dumpe=
d, but the system </FONT>
<BR><FONT SIZE=3D2>keeps running.</FONT>
</P>

<P><FONT SIZE=3D2>Also, code running at the kernel level has significantly =
more privilege </FONT>
<BR><FONT SIZE=3D2>than even the root user has. It can touch any memory, or=
 any hardware in </FONT>
<BR><FONT SIZE=3D2>the entire system without any restrictions. Even root ha=
s to jump through </FONT>
<BR><FONT SIZE=3D2>some hoops (ie: loading a module) to do this, and on a w=
ell-secured system, </FONT>
<BR><FONT SIZE=3D2>even root can't load kernel mode code. (yes, I do use gr=
security patches on </FONT>
<BR><FONT SIZE=3D2>my linux boxes and have no loadable module support.)</FO=
NT>
</P>
<BR>
<BR>
<BR>
<BR>
<BR>

<P><FONT SIZE=3D2>--__--__--</FONT>
</P>

<P><FONT SIZE=3D2>Message: 2</FONT>
<BR><FONT SIZE=3D2>Date: Mon, 6 Oct 2003 14:12:18 -0700 (PDT)</FONT>
<BR><FONT SIZE=3D2>From: twig les <twigles at ...131...></FONT>
<BR><FONT SIZE=3D2>To: snort-users at lists.sourceforge.net</FONT>
<BR><FONT SIZE=3D2>Subject: [Snort-users] NIDS test steps</FONT>
</P>

<P><FONT SIZE=3D2>--0-1396597591-1065474738=3D:62658</FONT>
<BR><FONT SIZE=3D2>Content-Type: text/plain; charset=3Dus-ascii</FONT>
<BR><FONT SIZE=3D2>Content-Id: </FONT>
<BR><FONT SIZE=3D2>Content-Disposition: inline</FONT>
</P>

<P><FONT SIZE=3D2>Hey *, I've been sitting on this doc I made that guided m=
y</FONT>
<BR><FONT SIZE=3D2>latest NIDS tests (the NIDS was not snort, but this thin=
g is</FONT>
<BR><FONT SIZE=3D2>pretty general).  I've been wanting to get a real w=
eb site up</FONT>
<BR><FONT SIZE=3D2>and post it there for dl, but I'm freakin' swamped so I =
just</FONT>
<BR><FONT SIZE=3D2>zipped it and attached it (5.6k).  Lemme know if an=
yone can</FONT>
<BR><FONT SIZE=3D2>improve it.</FONT>
</P>

<P><FONT SIZE=3D2>Oh BTW it's in Excel 2k format.  Sorry.</FONT>
</P>

<P><FONT SIZE=3D2>---------------------------------------------------------=
-</FONT>
<BR><FONT SIZE=3D2>If you receive something that says 'Send this to everyon=
e you</FONT>
<BR><FONT SIZE=3D2>know, pretend you don't know me.</FONT>
<BR><FONT SIZE=3D2>--------------------------------------------------------=
--</FONT>
</P>

<P><FONT SIZE=3D2>__________________________________</FONT>
<BR><FONT SIZE=3D2>Do you Yahoo!?</FONT>
<BR><FONT SIZE=3D2>The New Yahoo! Shopping - with improved product search</=
FONT>
<BR><FONT SIZE=3D2><A HREF=3D"http://shopping.yahoo.com" TARGET=3D"_blank">=
http://shopping.yahoo.com</A></FONT>
<BR><FONT SIZE=3D2>--0-1396597591-1065474738=3D:62658</FONT>
<BR><FONT SIZE=3D2>Content-Type: application/x-zip-compressed; name=3D&quot=
;NIDS Test Plan 1.1 - 2003-09-05.zip"</FONT>
<BR><FONT SIZE=3D2>Content-Transfer-Encoding: base64</FONT>
<BR><FONT SIZE=3D2>Content-Description: NIDS Test Plan 1.1 - 2003-09-05.zip=
</FONT>
<BR><FONT SIZE=3D2>Content-Disposition: attachment; filename=3D"NIDS T=
est Plan 1.1 - 2003-09-05.zip"</FONT>
</P>

<P><FONT SIZE=3D2>UEsDBBQAAAAIACx/JS8X4J6n1hUAAABkAAAjAAAATklEUyBUZXN0IFBsY=
W4g</FONT>
<BR><FONT SIZE=3D2>MS4xIC0gMjAwMy0wOS0wNS54bHPtXWuMJNdVPjWP3Zl9zr5mX7Pj61nH=
ntmd</FONT>
<BR><FONT SIZE=3D2>7VlvHHvjV+/bntiznuzsegNxsq7uvt1dnuqqdlX1zI4hsIT4B8KRQh4Y=
CaPg</FONT>
<BR><FONT SIZE=3D2>fwEjMEJaEMoPmwgJJCwQYFk8JBwSIYQEESiREog9fOfcW9WP7bV3jWMR=
pW+r</FONT>
<BR><FONT SIZE=3D2>q+rce+695557nlU1PX/1l1vefPH393yTOsqD1E9vrw7TmpY6B9/DKTBC=
aF9d</FONT>
<BR><FONT SIZE=3D2>5cv0PIPvaq/8WJXhIWzkmkF6e+y1tX9+DJfY5G9SH7088CqORP+M7xNU=
571/</FONT>
<BR><FONT SIZE=3D2>Wn2A5YTQ4DpMwyuY/AFnHa0FFX2QyzX0As6baLdQuFWO2+T4e4L/dTk+=
gJbL</FONT>
<BR><FONT SIZE=3D2>tJn+4sTPHDhq5fcTfccE7/NynJDjJhwd+kPp8/dScyftoT9jWf75LzhG=
2Aed</FONT>
<BR><FONT SIZE=3D2>4xSRRy75P/JWB61fZzL6uvddR9L3Oq1D79hq5+1oHR8Yo0HaCYbcNrF/=
ev/+</FONT>
<BR><FONT SIZE=3D2>w5em7ntiMgWemBofuBU8H2tr/+Q5XfpUO9IENmhfEyl3uH0cwIx1B0ic=
6MTq</FONT>
<BR><FONT SIZE=3D2>GM2i3kMH6AjRJa4/oNKZLfjEpJ04rZg4NCGtxy6ha46m8EHX1n7tnTp6=
5Gma</FONT>
<BR><FONT SIZE=3D2>7m2fzNDWPp+Q1jJlPt8c4m46CE43J037X9O5o+ebtF1k4XuriprlFcX1=
Tlr/</FONT>
<BR><FONT SIZE=3D2>3Rur77vJevoJrHdIUbOk/Dxo8L/fWT91nfrp69QfuE79cNf6QWJ6Jol2=
tddT</FONT>
<BR><FONT SIZE=3D2>Wj/SrX7qmvo11xln7XXqh7rUf6lvgEau9K/yecuVNXLeemVAztuurJUz=
XSE5</FONT>
<BR><FONT SIZE=3D2>b78yuPqk2MxnaSP9yziPMEgnwyUdPQuT+uv7uWINnXBjrxg/S6NUmuKa=
TXSu</FONT>
<BR><FONT SIZE=3D2>4ev49jPaTRqRRss4OUe4ZZTOhY3EC7Q6Xqp5gRcnkZt4YfAsTPh372WM=
tXQ8</FONT>
<BR><FONT SIZE=3D2>SdziYvwcDYB2h151hvAletJz6If0tZ11IGl8YakuVt1ElUI1q+p+o6K8=
QLlB</FONT>
<BR><FONT SIZE=3D2>SS1XdaTzW4gW6rrolb2iOhkGRR0FMbZhIdH1GNx4SAc6cn31SBAu+7pU=
0Sos</FONT>
<BR><FONT SIZE=3D2>q0J4eT3RiSh0S+qh0PXjrWSpUZEuhpXAY1qx6JNugElBulZJVSvXUKwK=
KyrW</FONT>
<BR><FONT SIZE=3D2>4I2XrOQ3kGGCTlTsPaOxBw+Hy6rmBisq4nrlRui45Hq+W/A1dy3pstvw=
k/xU</FONT>
<BR><FONT SIZE=3D2>V9RyGKlGoIs6jt1oBdN6QSXOb8QsuhaCDrfITeOGtmWtFhYeVpNHcoen=
wJYk</FONT>
<BR><FONT SIZE=3D2>FDKxvDwEakEXsSlYUT2MsBWVXZZT4IZ+uuHVazpIVKB1SZfAxPORW2Ye=
VoRh</FONT>
<BR><FONT SIZE=3D2>SRhhhFOgeoUJdCuascGmE9r3Y2H/xSp2FVQDbw7L8epYXayDOIziQy0r=
s1Wq</FONT>
<BR><FONT SIZE=3D2>CHINKQpkhpCMYuj7uoiZ8jMGvxSCB7yArEVVMZOvZ+puFNst8HWUxPnR=
Jtfd</FONT>
<BR><FONT SIZE=3D2>NgHblO4kZqyGmHwsHZuZxbuLfVN1N46Xw6gU528xzWE50YFFqrpLmmmM=
dCEM</FONT>
<BR><FONT SIZE=3D2>k/xBrM9dBFGgpaLN2hPZGV1Ty15ShaBbXDB5d7YxdVTjau6x86ewXOUl=
+XuY</FONT>
<BR><FONT SIZE=3D2>yys8NLehDlyYBoO08spoV16sSl5c990VXeLmYhhAEHjUEDrgRTrdXbTU=
wO5E</FONT>
<BR><FONT SIZE=3D2>8+6sxNovC1U1JjPmPcdgWN5inJu1FzzDrOyBsIsRuAdOXMckuKrA2m1l=
PLeW</FONT>
<BR><FONT SIZE=3D2>BS7Gvsa3Ez3uhT7rQIrD0jqtlt2kWBWSwAGs6G5WVM3SHqX7xLufsL4y=
Vi2M</FONT>
<BR><FONT SIZE=3D2>EzsAVlb2Kg2zZfki0ekl12+kahbWuTqeVnUPGsk1yXKoCjoW0Un4zMTH=
VWwc</FONT>
<BR><FONT SIZE=3D2>t0ZcA7Xm60oUNuqiRGUvgKSDocVGHGO8j1g7EvE2MnqqzZnYnZ09tWB4=
wawp</FONT>
<BR><FONT SIZE=3D2>gXSvvJI/zRIFY4OuPpTe566+FyyqmI2erKBziMQ1Ul7z4jidJr9k5/cM=
JuS1</FONT>
<BR><FONT SIZE=3D2>pA+FZVgjnSxrSF/QqBUgmxherAETcXL+goIZ9b1nDKeUOtuOJKTWo7Dg=
FoCV</FONT>
<BR><FONT SIZE=3D2>rHADzwqZySaGIb0A7QHntc8WuWXpLL4qCD00l6OwhpH0khc24iaTKyCz=
4foQ</FONT>
<BR><FONT SIZE=3D2>NCP/QnsHpdMqLMQ6WpKdYJHJTbYqXSlcDnw2tU2K3XrdNxqUn82UYhn2=
lGWM</FONT>
<BR><FONT SIZE=3D2>0ZQb89RBw3cjvq6HWFOBpW7JyqKXXDvtA0SPhuGibH/sMdGWPpG3qIYZ=
sQGY</FONT>
<BR><FONT SIZE=3D2>dkVkVFC4sRFIbe2p1OIXGmx2jHAJ0V4QQyCEdQq7WwBHZp7x6mXPF1NR=
dovM</FONT>
<BR><FONT SIZE=3D2>fqarBgMjlhW4gV42/WcKYDfkEnWhz7qt43wOctWhKNZ+N82f1Zyir90o=
r2C/</FONT>
<BR><FONT SIZE=3D2>A69c1lJfDCNYM8hkWPGKEHSYjaJ2iWbL6ZCyxBb9k1GmReGXpaVkbNiS=
56rZ</FONT>
<BR><FONT SIZE=3D2>eXgLiJdI6DL4Ij28Wt3FFAXN1ij1LA/DCTQ8rEL6qKQBI+WrSRiYdJOm=
mjtT</FONT>
<BR><FONT SIZE=3D2>1xE2A46gmI3WHCr3cSj+ZSiCgtImWBYb3UbQPnBSRWOliiHhDdiCpLYD=
NhL4</FONT>
<BR><FONT SIZE=3D2>1kY2F3GbVTPwI+Gp1eRjC1Op0jVdziz7x6SpsxxgCG+ZYaLnMe8Wey8E=
A0us</FONT>
<BR><FONT SIZE=3D2>Wiy4dl1RandE7OBijseLagkcDcHgxIizDsThe8kjXZtTV8QDpe7I6COb=
Gi1e</FONT>
<BR><FONT SIZE=3D2>KgqLuiT2nCXQbPEvszsKvHrDz6ISs93tfR+6MMu9MMQSBLeUUwqCkejL=
0Br0</FONT>
<BR><FONT SIZE=3D2>CVp8hQsVq8VG/5ssSN02C5FELiUTdoEDxkJgTxEobDZrO6fr0EwEROWV=
/deG</FONT>
<BR><FONT SIZE=3D2>A5A5DMlRWMb/+4ymZewvRNpdVDA+PjqJuY7z6kK9JF6nyHvBBj3Sy1C8=
OH+x</FONT>
<BR><FONT SIZE=3D2>ZdZMHDLnCObC8CD2kNgJtnqR27yYXS2rpVWQ1v3MthKh6SmjhBNxtRFM=
QFvq</FONT>
<BR><FONT SIZE=3D2>xrR6sAISGcAAeDVY7kZio1BYrUM+ApD8cSt6TTcRVipMAjaiGQFGuuJG=
Ja6G</FONT>
<BR><FONT SIZE=3D2>OizqxFpEa6wv3OQYAWsXEOvauKJYTbJFCOIZtrGwDFI5lT9jx+X9rK1Y=
DlhH</FONT>
<BR><FONT SIZE=3D2>C70/XcPQ0wr8dtlPgFUrMcaZVg+fPz8PR4wAEKKrk2JuB9FZtyamcKEY=
efVk</FONT>
<BR><FONT SIZE=3D2>xpCOgOGUTjBKjBBM9hTxQx2j6/zhVm9grLxYRczL9Zmdt5apopP8XZlX=
qLUL</FONT>
<BR><FONT SIZE=3D2>uwk1OIwWf8QsEFV0OUzK7bFTn2f3Ne9jvMd1xNKk7szdiUj9Ec1Kcj5c=
dOPq</FONT>
<BR><FONT SIZE=3D2>QkuQitAZhgraZQQ+4TBmxsZxbgmRVYhMQ83GpkWiV/YxEkulkSdq/RWO=
FtkF</FONT>
<BR><FONT SIZE=3D2>TcNpNVUe0gXTW6wa5YelLGtXLOUvOXS+ysodmwBjlgUVoQVvNnq5cWiM=
CFis</FONT>
<BR><FONT SIZE=3D2>a/WErVQcgvkl4TR0MkaaI6Sww2ZmnEUwgYBPzULhGrJy7AoHkbhaWAE6=
VH2S</FONT>
<BR><FONT SIZE=3D2>eTTFJsFIdCPW4goQBfB4YjXKRgvF84tlkXnjhmQf6DrHpthg87pBLFKK=
SNv4</FONT>
<BR><FONT SIZE=3D2>zmQtRvVcSI8nwYLv1pOwbuRdhiticUCEbWe+LnMYYkmqIThCz4AzHuEM=
JKEQ</FONT>
<BR><FONT SIZE=3D2>8RYjBAoTM6f4Keg/dqCBFaIbBDLxil5c456q2oCMQ9jLmgOfCgyAZ51b=
Vft1</FONT>
<BR><FONT SIZE=3D2>jLQQgqYVrg2DHDzCyWqIlEEdOXwQG+/7hxaRNAZZsMRk+24jMEFvDf2R=
b4Lp</FONT>
<BR><FONT SIZE=3D2>DXAQZ58DQi8ue7C2D8GxIQrE6uLqdQMvtiCJybqsUS5CE0zAa2KyRj0H=
53Ey</FONT>
<BR><FONT SIZE=3D2>i0+mOUCDgcbAEj1ZAQPLWF5qGmOKU3SXQq8EfTPa4UnCyplU7rEsz625=
ReyR</FONT>
<BR><FONT SIZE=3D2>noyn7PbazDAJQz+eiZEPLUsYz6YJzhXsrbX0yRBye7N8Z8nTJhyPvUpg=
7gfk</FONT>
<BR><FONT SIZE=3D2>txk15litqQ+5I+0OsQynYCP5khcZWY2nxUHCJaaWeWdzqI6WEidH2NQG=
u4vM</FONT>
<BR><FONT SIZE=3D2>INjskOOCFk6xyzUWKGzA4DTiBF7PhHhoTVM8ztAifQiJOpZr49b8AsuH=
hMBY</FONT>
<BR><FONT SIZE=3D2>r77sGX0zwSq4VIS6ZuGr3c+GcWAt9FxD/KH2/NOmEZZa29+Dj7D9maOt=
vLOB</FONT>
<BR><FONT SIZE=3D2>7ZdvwCFqlwWXt4HNF7sCcWQ34hWVOsEyIwJb1S2ZgKT0WLeYoADRBWJF=
RMbL</FONT>
<BR><FONT SIZE=3D2>5tYAx+PWivNditb7ExzTm6R3mQ0qQosV3hAvKEeuUWcsgL2xFS4sKolC=
3979</FONT>
<BR><FONT SIZE=3D2>gPVoRGyseXc5p5VaccIzaZSQv68jsZBVZ7mHl2BVj7fkEh37crcVqpRe=
9hAV</FONT>
<BR><FONT SIZE=3D2>uREkyzjvFt1iPHlwauacW/Ia8cwjOkJKFMb5D0tgiVif6WowjxLrhZUN=
HXlj</FONT>
<BR><FONT SIZE=3D2>odyZCIEwUcyuyKKcbeky1DApVm1HE7b5bPs6eHeweSOC75m5YihDCcpk=
4Gw3</FONT>
<BR><FONT SIZE=3D2>2BnkHySaN2jGSDeb025y58aS3lpvhst9RgInzMY3lDJrUvQ9CSattRAX=
6qVx</FONT>
<BR><FONT SIZE=3D2>h+vnJSqNQ2Pi04idbRKHAkDkbCA0d/s42RfbvaxbNkMSOs5KPm00gCmD=
FmBv</FONT>
<BR><FONT SIZE=3D2>7d4/BRVn6ZtJtB9oyYUy28u2qtXQ2WSl7Y4S3wqCzsS5W9sVL+ZMLGVE=
YIwW</FONT>
<BR><FONT SIZE=3D2>87wZ6GT20MbnNu9ppiBTGLEl17PWlfGMlecMJ+VJh9qbUDtXY6ZrYal4=
TRsM</FONT>
<BR><FONT SIZE=3D2>Lpydm2fPUo9n6hgeopJXgicNZXgwkSOooL6MjUp0Kc385mZPLAgrlmzY=
JDlk</FONT>
<BR><FONT SIZE=3D2>o86bDyxEdjJERvTnyTlOMS2SoiXSFFCJQopoGnAM2MV1kaqAEhw1zmXy=
yMdV</FONT>
<BR><FONT SIZE=3D2>TCv4JriqoTZEfROnAPgyzsuADbaScT2MX8H1BOpCXC3LXNxrBXWmv8GJ=
AU3i</FONT>
<BR><FONT SIZE=3D2>2JDaEMcIxxDX03KtZW5XeitQ2BA4FFpcquPjY6QirhOcQ4wZS09eiysz=
aIG4</FONT>
<BR><FONT SIZE=3D2>hVdUwQhRG/btaooOkNwE19GMVbkC33AuulbrI1EdidnOz+dco67YSbZi=
MKyQ</FONT>
<BR><FONT SIZE=3D2>XdQ3+4iD4u1kw8ItZlAbQ5cyMZAbF4imK807lpz/w9KzB2sKkZhstrnZ=
3TYj</FONT>
<BR><FONT SIZE=3D2>VEaluKEphQYlk5y4VXRyq/QUDdHfriFCgE2fRR7wxzhfGiJ63oEJHiZ6=
ro9o</FONT>
<BR><FONT SIZE=3D2>bD2uB4h+ZyPRt4H7FWSOrwHnT7YQ/fc6on2Q8AsYIBol+m20fR/+/jDa=
PoqQ</FONT>
<BR><FONT SIZE=3D2>/mm0XUKS/fwOfl5KZJ5yj7Q95V7fZ56m8DOMW/D9owmix5GLbpTnwRtw=
LNFm</FONT>
<BR><FONT SIZE=3D2>ud4iOCOg+Ye/9Z9/PVeYz1+S+gNSf1COn5WaK/JcxZQP8dMSWqVfQMur=
AzwX</FONT>
<BR><FONT SIZE=3D2>iKFfFOzPyXGOtvZD/2keovEohIEVIKKP4chCNosPt8xDtFjcrlecARr8=
R7qr</FONT>
<BR><FONT SIZE=3D2>7+R3rgzyU5F/WxcOlXDeTNMOw9MOU/aojJrIDP/34rSc++yZ3yboxDs1=
e/YC</FONT>
<BR><FONT SIZE=3D2>2ArqiEq/0T/e2d5azBOsXvlJLy/CNDtUkid8/L7HtDNtxeLNfHp26AJa=
hugz</FONT>
<BR><FONT SIZE=3D2>YkGIrp4bBdwnMJCd24ZhFFgy+zZl+m2ka6hvxEqsFVZns9RtlLr/GWit=
G+/A</FONT>
<BR><FONT SIZE=3D2>ewu2hPuOEhPCEPfaQyctNC5tx3B8A1AZ50nahM+DfVvpqrxIdYyaZR80=
tH+d</FONT>
<BR><FONT SIZE=3D2>GRvofPUdUYJ76N2NFhc2Nd4dRNumPlijtel9M1qH/18brcM9o9UrN1De=
k8Ha</FONT>
<BR><FONT SIZE=3D2>3WqwHLo6uSOD+Xz1SLO9H5+rqgkP4EPov8bCgx0Gj4vRaH65hA2ZuW43=
eI7U</FONT>
<BR><FONT SIZE=3D2>XeznqmO2rl/q3uprxRuUured1rq1HXVvkbFjO5gyCzmAnAzqox2icwbq=
B7Qx</FONT>
<BR><FONT SIZE=3D2>gwYAjVmIe4wKHQZyxP6kUB/a9vLYfWsADdBOqe8XrOMWq1+wTlhoUNrG=
M4jb</FONT>
<BR><FONT SIZE=3D2>9llorbR9NIO4jR3FGzDZR0DIPJ2hu0DZmDHgsqZj1Cy/CQqG0VMM+Xoh=
3aH1</FONT>
<BR><FONT SIZE=3D2>+DjOzRlyhe/dh4h+9c5e9HkjpRd99sqPqrw3Y9403saYN411N2P+xdva=
jfnV</FONT>
<BR><FONT SIZE=3D2>7e9szJUc392Ytxvu/i54N2LMuW6oS9/hLnXru8y7saUudSybu/RFqo61=
t8+7</FONT>
<BR><FONT SIZE=3D2>Terax9shde19d3bB292lbm+XOfZ1qbulo+/769B2CN9ThzYq+9l0aKcy=
qB/Q</FONT>
<BR><FONT SIZE=3D2>Q5S6McZck0GM+SA1ndoo3ZpB3HY6g3iUTZQ6NZ59bQY54NJQBnG/M2Tc=
6ZC0</FONT>
<BR><FONT SIZE=3D2>cf2wXA1brGHBut1C62XmiQzitv0W2ihzbc8gxrwtgxjzYxbaLG1nM4jb=
HrPQ</FONT>
<BR><FONT SIZE=3D2>Fml7IIO47UMW2iZtd2QQtz1ioR3S9nAGcdushXZK26MZxG1zFtotVI9k=
EGPe</FONT>
<BR><FONT SIZE=3D2>lUGMOW+hvdJ2dwZx20cstE9G2ZJBjLk1gxjzSAbx/nzYQrcI5rYMYkwE=
AQhB</FONT>
<BR><FONT SIZE=3D2>JulfocDnnTN0FLJ0AJ91EoockONYdn3UBicsp8eoWdqCk71S5YBovrqR=
4CR7</FONT>
<BR><FONT SIZE=3D2>K1jE7G+wzrl7iV66t5dp3ki52QCll2n2yo2UDyI4udoRnNTUOwcnt8rx=
3YOT</FONT>
<BR><FONT SIZE=3D2>9joTnLQ7YROc/Edb4DDUgpfWraNrg44NXebY1AWPKex0/lvp2gBjO10b=
TIx2</FONT>
<BR><FONT SIZE=3D2>6buzS99dXfru7oK3pwve3i54Y13mHe/Ae4ve34BlXQaxg1qfQeygPm4h=
E6Kc</FONT>
<BR><FONT SIZE=3D2>yyBuW7CQCVHOZxC3XcggdoGPW2hIMC9mEGN+wkLrpO2nMojbftpCG4TO=
DRnE</FONT>
<BR><FONT SIZE=3D2>mJMZxJifzCCeb8pCmwTzQAYx5sEMYsxpC40I5qEMYsxSBjHmpyy0VTCf=
yCDG</FONT>
<BR><FONT SIZE=3D2>/LSFjGfbnEGMeSmD2jF5zCctNEocht2TQYyZIxOscUCzS+p3CdZRi7VL=
sFyL</FONT>
<BR><FONT SIZE=3D2>tZvSkG6PXBUt1h7BmskgnrVg++zN+ozJ1ajFGpM+hy00LqvYmUHcxlL/=
Bvt8</FONT>
<BR><FONT SIZE=3D2>CGAVYcuBLFg5KuHLmAQy6+RrghmWY0Uc9rbLsZLRd9vRlYy+R0ZfY//8=
OL0f</FONT>
<BR><FONT SIZE=3D2>Q9eEPNxPQh7jSx0Qx1c3dz+G1eTl+xC03P9BhjsvSly9Ssa4D1CzXN+4=
f3GE</FONT>
<BR><FONT SIZE=3D2>BWMgM+6z401YjPuhJszGfXZrEx7IjPlAZsyNLeK5U2PeaYycjjoWGi47=
ZLOM</FONT>
<BR><FONT SIZE=3D2>0eG/1jIQG537MoiNzv0WMmaGefAG1vMUztsRd3ffWNnQfuniyDI6b7D1=
ynsu</FONT>
<BR><FONT SIZE=3D2>b6+SmOfOwsx+89mv/tcPHquOvPQrQ3Twjj/4O1a+l4ns3w6SZFssK/O2=
7kki</FONT>
<BR><FONT SIZE=3D2>caY+vuwyPkfmCf8XiMTZvEAkuc7XyEjat9GZtZO3Ut6zpbLA3PY0eQlf=
sxTO</FONT>
<BR><FONT SIZE=3D2>ecUo5Pdu1OnLRe2LbFxRv7brW6+/6vA1Xfq5f/in9Pp7L404yTccua/d=
K73S</FONT>
<BR><FONT SIZE=3D2>K73SK73SK73SK73SK73SK73SK1LeKf/ve/2111/I7R350vPI/6d/8Luc=
/w+h</FONT>
<BR><FONT SIZE=3D2>Ydi2c97PNzb5di3fDOSbo5z3c/7PeXtCJt//WSK5kcj3A/g+wHNk7gt8=
i9rv</FONT>
<BR><FONT SIZE=3D2>A5i8f1EeDvz7pmEZi+yY3c7jI+bBA98/kF8ekifd5ieHhLD23xoSGrv/=
yJDc</FONT>
<BR><FONT SIZE=3D2>vrC/AkMbRgwp43aqi/xzKFWtk9g+tuiVXumVXumVXumVXumVXumVXumV=
Xvlx</FONT>
<BR><FONT SIZE=3D2>K+krqpzZ8rP8NJ/mTJqTYs71+RULToQ5Z+f8nd8V4fSac3x+55mf+XOe=
n77V</FONT>
<BR><FONT SIZE=3D2>wrk+59r8ShC/xsMv7/CLbfyKGb8pzYk1/88AReb1QX7vhd8i57fF+V3v=
2207</FONT>
<BR><FONT SIZE=3D2>v87Fr23xy1r8iha/mMWvY+Vs+1v4vt39Z+175QbLOfszF4pOU4BzRCt0=
M2WU</FONT>
<BR><FONT SIZE=3D2>Bp10LJYjNWTuJb1ims+04r5SuPerc899w0n/XwSXi/KTHIvyEx4hzjdb=
tlJf</FONT>
<BR><FONT SIZE=3D2>Nv/q6rWvWF+v/On95jxIC9SgGj6urH1WfqCDaaq1/DzH9csk5mcdYv25=
0fn5</FONT>
<BR><FONT SIZE=3D2>r03S3+8epFOYoSg0aNmBm6Pn6HtYP/8FRfr74f8LUEsBAhQAFAAAAAgA=
LH8l</FONT>
<BR><FONT SIZE=3D2>LxfgnqfWFQAAAGQAACMAAAAAAAAAAAAAALaBAAAAAE5JRFMgVGVzdCBQ=
bGFu</FONT>
<BR><FONT SIZE=3D2>IDEuMSAtIDIwMDMtMDktMDUueGxzUEsFBgAAAAABAAEAUQAAABcWAAAA=
AA=3D=3D</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>--0-1396597591-1065474738=3D:62658--</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>--__--__--</FONT>
</P>

<P><FONT SIZE=3D2>Message: 3</FONT>
<BR><FONT SIZE=3D2>Date: Mon, 6 Oct 2003 15:15:58 -0500 (CDT)</FONT>
<BR><FONT SIZE=3D2>Subject: Re: [Snort-users] Snort Kernel Module</FONT>
<BR><FONT SIZE=3D2>From: "Josh Berry" <josh.berry at ...10221...&=
gt;</FONT>
<BR><FONT SIZE=3D2>To: "Matt Kettler" <mkettler at ...4108...>=
</FONT>
<BR><FONT SIZE=3D2>Cc: snort-users at lists.sourceforge.net</FONT>
</P>

<P><FONT SIZE=3D2>Mostly I need the performance improvements this would add=
.  Where I work</FONT>
<BR><FONT SIZE=3D2>we have some developers, so the cost wouldn't be an issu=
e.  We would like</FONT>
<BR><FONT SIZE=3D2>to run a linux Intrusion Prevention System with</FONT>
<BR><FONT SIZE=3D2>Bridge/Netfilter/Snort-Inline, however, for where we wou=
ld like to use it,</FONT>
<BR><FONT SIZE=3D2>we are worried that the system would not be able to hand=
le the traffic.  I</FONT>
<BR><FONT SIZE=3D2>been using Bridge/Netfilter/Snort-Inline at home now for=
 some time and</FONT>
<BR><FONT SIZE=3D2>have done some testing, but do not think that it could h=
andle the load we</FONT>
<BR><FONT SIZE=3D2>would need.  If we could get it to perform at a sat=
isfactory level that</FONT>
<BR><FONT SIZE=3D2>would allow us to use an open-source solution rather tha=
n pay $20,000 to</FONT>
<BR><FONT SIZE=3D2>$50,000 for a commercial IPS system.</FONT>
</P>

<P><FONT SIZE=3D2>> At 02:04 PM 10/6/2003, Josh Berry wrote:</FONT>
<BR><FONT SIZE=3D2>>>Are there any projects out there that are trying=
 to move snort into the</FONT>
<BR><FONT SIZE=3D2>>>Linux kernel, or as a kernel loadable module.&nb=
sp; Would this provide any</FONT>
<BR><FONT SIZE=3D2>>>benefits (security, speed, accuracy)?</FONT>
<BR><FONT SIZE=3D2>></FONT>
<BR><FONT SIZE=3D2>> Speed would be improved somewhat.</FONT>
<BR><FONT SIZE=3D2>> Security would certainly go down very significantly=
 due it increased</FONT>
<BR><FONT SIZE=3D2>> privileges. (ie: a exploit of the snort code would =
now give kernel-mode</FONT>
<BR><FONT SIZE=3D2>> privilege, instead of root or non-root user privile=
ge.)</FONT>
<BR><FONT SIZE=3D2>></FONT>
<BR><FONT SIZE=3D2>>>   Is there any reason this would not<=
/FONT>
<BR><FONT SIZE=3D2>>>be possible?</FONT>
<BR><FONT SIZE=3D2>></FONT>
<BR><FONT SIZE=3D2>> It's possible, but IMO that's not the point.</FONT>
<BR><FONT SIZE=3D2>></FONT>
<BR><FONT SIZE=3D2>>>  Would this be incredibly difficult?</FONT>
<BR><FONT SIZE=3D2>></FONT>
<BR><FONT SIZE=3D2>> Yes, it would be difficult as most of the code woul=
d require rewrite to</FONT>
<BR><FONT SIZE=3D2>> use</FONT>
<BR><FONT SIZE=3D2>> kernel-level memory and IO APIs.</FONT>
<BR><FONT SIZE=3D2>></FONT>
<BR><FONT SIZE=3D2>> Functionality would be limited, since kernel proces=
ses don't really have</FONT>
<BR><FONT SIZE=3D2>> extensive libraries like glibc provides. ie: no mor=
e mysql support for</FONT>
<BR><FONT SIZE=3D2>> sure.</FONT>
<BR><FONT SIZE=3D2>></FONT>
<BR><FONT SIZE=3D2>> It would also be incredibly foolish from a security=
 prespective and it</FONT>
<BR><FONT SIZE=3D2>> would make snort a linux-specific tool.</FONT>
<BR><FONT SIZE=3D2>></FONT>
<BR><FONT SIZE=3D2>> The kernel should only implement things which belon=
g in the kernel. Moving</FONT>
<BR><FONT SIZE=3D2>> complex user-space processes into the kernel is dan=
gerous and should only</FONT>
<BR><FONT SIZE=3D2>> be done with considerable reason to do so. Unlike a=
n application, if a</FONT>
<BR><FONT SIZE=3D2>> piece of the kernel fails and munges memory, most t=
ime the system goes</FONT>
<BR><FONT SIZE=3D2>> down</FONT>
<BR><FONT SIZE=3D2>> completely with no graceful shutdown. No disk sync,=
 no nothing.. just oops</FONT>
<BR><FONT SIZE=3D2>> and crash.</FONT>
<BR><FONT SIZE=3D2>></FONT>
<BR><FONT SIZE=3D2>> If an app munges memory, it just segfaults and gets=
 dumped, but the system</FONT>
<BR><FONT SIZE=3D2>> keeps running.</FONT>
<BR><FONT SIZE=3D2>></FONT>
<BR><FONT SIZE=3D2>> Also, code running at the kernel level has signific=
antly more privilege</FONT>
<BR><FONT SIZE=3D2>> than even the root user has. It can touch any memor=
y, or any hardware in</FONT>
<BR><FONT SIZE=3D2>> the entire system without any restrictions. Even ro=
ot has to jump through</FONT>
<BR><FONT SIZE=3D2>> some hoops (ie: loading a module) to do this, and o=
n a well-secured</FONT>
<BR><FONT SIZE=3D2>> system,</FONT>
<BR><FONT SIZE=3D2>> even root can't load kernel mode code. (yes, I do u=
se grsecurity patches</FONT>
<BR><FONT SIZE=3D2>> on</FONT>
<BR><FONT SIZE=3D2>> my linux boxes and have no loadable module support.=
)</FONT>
<BR><FONT SIZE=3D2>></FONT>
<BR><FONT SIZE=3D2>></FONT>
<BR><FONT SIZE=3D2>></FONT>
<BR><FONT SIZE=3D2>></FONT>
<BR><FONT SIZE=3D2>></FONT>
</P>
<BR>
<BR>
<BR>
<BR>

<P><FONT SIZE=3D2>--__--__--</FONT>
</P>

<P><FONT SIZE=3D2>Message: 4</FONT>
<BR><FONT SIZE=3D2>From: "Michael Steele" <michaels at ...9077...=
></FONT>
<BR><FONT SIZE=3D2>To: <snort-users at lists.sourceforge.net></FONT>
<BR><FONT SIZE=3D2>Subject: RE: [Snort-users] Can we send email using Outlo=
ok as the smtp server with ACID?</FONT>
<BR><FONT SIZE=3D2>Date: Mon, 6 Oct 2003 15:14:51 -0700</FONT>
</P>

<P><FONT SIZE=3D2>Demetri,</FONT>
</P>

<P><FONT SIZE=3D2>Why in the heck did you even respond if you know nothing =
about Microsoft!</FONT>
</P>

<P><FONT SIZE=3D2>To answer his question; Using Outlook, there is no way. W=
hy can't you use</FONT>
<BR><FONT SIZE=3D2>your SMTP server from your ISP and receive alerts in rea=
l time?</FONT>
</P>

<P><FONT SIZE=3D2>Here is what you need to do to send Email alerts in real =
time from a Windows</FONT>
<BR><FONT SIZE=3D2>box, you can also browse on over to Winsnort.com and ret=
rieve some install</FONT>
<BR><FONT SIZE=3D2>docs. You will need to modify paths, and download event =
watch, not the</FONT>
<BR><FONT SIZE=3D2>newest one. You can grab the file off my site by using t=
he link in one of</FONT>
<BR><FONT SIZE=3D2>the guides.</FONT>
</P>

<P><FONT SIZE=3D2>Install:</FONT>
</P>

<P><FONT SIZE=3D2>Snort sets a priority on triggered alerts. These priority=
 alerts range from</FONT>
<BR><FONT SIZE=3D2>1-3. One being the highest priority to 3 being the lowes=
t priority alert.</FONT>
<BR><FONT SIZE=3D2>This section of the documentation will walk you through =
setting up the IDS</FONT>
<BR><FONT SIZE=3D2>for sending alerts based on the highest priority alert.<=
/FONT>
</P>

<P><FONT SIZE=3D2>Note: You MUST have a valid outgoing SMTP server that can=
 be accessed form</FONT>
<BR><FONT SIZE=3D2>the IDS.</FONT>
</P>

<P><FONT SIZE=3D2>=1B$B!|=1B(B Load the file 'D:\Applications\snort\etc\sno=
rt.conf' into WordPad search</FONT>
<BR><FONT SIZE=3D2>routine for and change:</FONT>
</P>

<P><FONT SIZE=3D2>Original: # output alert_syslog: LOG_AUTH LOG_ALERT</FONT>
<BR><FONT SIZE=3D2>Change: output alert_syslog: LOG_AUTH LOG_ALERT</FONT>
</P>

<P><FONT SIZE=3D2>Now save the file and exit=1B$B!D=1B(B</FONT>
</P>

<P><FONT SIZE=3D2>=1B$B!|=1B(B Uncompress the downloaded 'eventwatchnt' fil=
e into</FONT>
<BR><FONT SIZE=3D2>'D:\Applications\eventwatchnt'.</FONT>
</P>

<P><FONT SIZE=3D2>=1B$B!|=1B(B Navigate into the 'D:\Applications\eventwatc=
hnt' folder and double click</FONT>
<BR><FONT SIZE=3D2>on =1B$B!F=1B(Beventwatchnt.exe=1B$B!G=1B(B</FONT>
</P>

<P><FONT SIZE=3D2>Note: A shortcut could be placed on the desktop for easy =
access to the</FONT>
<BR><FONT SIZE=3D2>management console.</FONT>
</P>

<P><FONT SIZE=3D2>Note: The EventwatchNT Configuration applet will appear w=
ith some dialog</FONT>
<BR><FONT SIZE=3D2>boxes filled in.</FONT>
</P>

<P><FONT SIZE=3D2>=1B$B!|=1B(B In the =1B$B!F=1B(BSender Name:=1B$B!G=1B(B =
dialog box type the name of the IDS</FONT>
</P>

<P><FONT SIZE=3D2>=1B$B!|=1B(B In the =1B$B!F=1B(BSender Email Address:=1B$=
B!G=1B(B dialog box type</FONT>
<BR><FONT SIZE=3D2>eventwatch at ...10224...</FONT>
</P>

<P><FONT SIZE=3D2>=1B$B!|=1B(B In the =1B$B!F=1B(BRecipients:=1B$B!G=1B(B d=
ialog box type the email address where the alerts</FONT>
<BR><FONT SIZE=3D2>will be sent</FONT>
</P>

<P><FONT SIZE=3D2>=1B$B!|=1B(B In the =1B$B!F=1B(BSMPT Server:=1B$B!G=1B(B =
dialog box type the name or IP of the SMTP server</FONT>
</P>

<P><FONT SIZE=3D2>=1B$B!|=1B(B In the =1B$B!F=1B(BEmail Subject:=1B$B!G=1B(=
B type Snort Priority 1 Alert!</FONT>
</P>

<P><FONT SIZE=3D2>=1B$B!|=1B(B In the =1B$B!F=1B(BFilter(s):=1B$B!G=1B(B di=
alog box type (including the [ ] and must be</FONT>
<BR><FONT SIZE=3D2>typed exact) [Priority: 1]</FONT>
</P>

<P><FONT SIZE=3D2>=1B$B!|=1B(B In the =1B$B!F=1B(BType:=1B$B!G=1B(B select =
box choose =1B$B!F=1B(BInclude=1B$B!G=1B(B</FONT>
</P>

<P><FONT SIZE=3D2>Note: At this pint you should be able to click the =1B$B!=
F=1B(BTest=1B$B!G=1B(B button and send</FONT>
<BR><FONT SIZE=3D2>a test message to the =1B$B!F=1B(BSender Email Address=
=1B$B!G=1B(B that was selected above.</FONT>
</P>

<P><FONT SIZE=3D2>=1B$B!|=1B(B In the =1B$B!F=1B(BEvent logs to monitor=1B$=
B!G=1B(B select box, only =1B$B!F=1B(BApplication=1B$B!G=1B(B needs</FONT>
<BR><FONT SIZE=3D2>to be ticked</FONT>
</P>

<P><FONT SIZE=3D2>=1B$B!|=1B(B In the =1B$B!F=1B(BEvents to report=1B$B!G=
=1B(B select box, only =1B$B!F=1B(BINFORMATION needs to be</FONT>
<BR><FONT SIZE=3D2>ticked</FONT>
</P>

<P><FONT SIZE=3D2>=1B$B!|=1B(B In the =1B$B!F=1B(BOptions=1B$B!G=1B(B selec=
t box. Only =1B$B!F=1B(BHTML Email=1B$B!G=1B(B needs to be ticked</FONT>
</P>

<P><FONT SIZE=3D2>=1B$B!|=1B(B In the =1B$B!F=1B(BInstallation=1B$B!G=1B(B =
select box, click the =1B$B!F=1B(BInstall=1B$B!G=1B(B button</FONT>
</P>

<P><FONT SIZE=3D2>=1B$B!|=1B(B In the =1B$B!F=1B(BService Control=1B$B!G=1B=
(B Select box, click on the =1B$B!F=1B(BStart=1B$B!G=1B(B button</FONT>
</P>

<P><FONT SIZE=3D2>=1B$B!|=1B(B Click the =1B$B!F=1B(BOK=1B$B!G=1B(B button =
at the top right</FONT>
</P>

<P><FONT SIZE=3D2>=1B$B!|=1B(B Navigate to =1B$B!F=1B(BAdministrative Tools=
=1B$B!G=1B(B, select Event Viewer, right click</FONT>
<BR><FONT SIZE=3D2>=1B$B!F=1B(BApplication=1B$B!G=1B(B, select =1B$B!F=1B(B=
Properties=1B$B!G=1B(B, tick =1B$B!F=1B(BOverwrite events as needed=1B$B!G=
=1B(B,</FONT>
<BR><FONT SIZE=3D2>click the =1B$B!F=1B(BApply=1B$B!G=1B(B button, click th=
e =1B$B!F=1B(BOK=1B$B!G=1B(B button, and exit</FONT>
</P>

<P><FONT SIZE=3D2>Note: To test the email alerting, run a scanner on the ne=
twork. If there</FONT>
<BR><FONT SIZE=3D2>were no email alerts sent out check the Event log under =
the Application log</FONT>
<BR><FONT SIZE=3D2>and see if any [Priority: 1] alerts were detected and lo=
gged. If there were</FONT>
<BR><FONT SIZE=3D2>alerts then make sure that the SMTP setting are set corr=
ectly and there is a</FONT>
<BR><FONT SIZE=3D2>clear path to the SMTP server. Use the =1B$B!F=1B(BTest=
=1B$B!G=1B(B button in the Event Watch NT</FONT>
<BR><FONT SIZE=3D2>applet to make sure that the email is functioning proper=
ly.</FONT>
</P>

<P><FONT SIZE=3D2>Cheers...</FONT>
</P>

<P><FONT SIZE=3D2>-Michael Steele</FONT>
<BR><FONT SIZE=3D2>--</FONT>
<BR><FONT SIZE=3D2> System Engineer / Security Support Technician</FON=
T>
<BR><FONT SIZE=3D2> <A HREF=3D"mailto:michaels at ...9077...">mailto:mich=
aels at ...9077...</A></FONT>
<BR><FONT SIZE=3D2> Website: <A HREF=3D"http://www.winsnort.com" TARGE=
T=3D"_blank">http://www.winsnort.com</A></FONT>
<BR><FONT SIZE=3D2> Snort: Open Source Network IDS - <A HREF=3D"http:/=
/www.snort.org" TARGET=3D"_blank">http://www.snort.org</A></FONT>
</P>
<BR>

<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: snort-users-admin at lists.sourceforge.net</FONT>
<BR><FONT SIZE=3D2>[<A HREF=3D"mailto:snort-users-admin at ...973...=
et">mailto:snort-users-admin at lists.sourceforge.net</A>] On Behalf Of Demetr=
i</FONT>
<BR><FONT SIZE=3D2>Mouratis</FONT>
<BR><FONT SIZE=3D2>Sent: Monday, October 06, 2003 11:30 AM</FONT>
<BR><FONT SIZE=3D2>To: Chhabria, Kavita - Apogent</FONT>
<BR><FONT SIZE=3D2>Cc: 'snort-users at lists.sourceforge.net'</FONT>
<BR><FONT SIZE=3D2>Subject: Re: [Snort-users] Can we send email using Outlo=
ok as the smtp</FONT>
<BR><FONT SIZE=3D2>server with ACID?</FONT>
</P>

<P><FONT SIZE=3D2>On Mon, 6 Oct 2003, Chhabria, Kavita - Apogent wrote:</FO=
NT>
</P>

<P><FONT SIZE=3D2>> Hello all:</FONT>
<BR><FONT SIZE=3D2>></FONT>
<BR><FONT SIZE=3D2>> Does anyone know as to how to send emails using Out=
look as the SMTP server</FONT>
<BR><FONT SIZE=3D2>> from ACID.</FONT>
</P>

<P><FONT SIZE=3D2>Well, you haven't specified your local MTA on the ACID bo=
x.  Assuming you</FONT>
<BR><FONT SIZE=3D2>still have qmail there, you need to instruct qmail to re=
lay to the</FONT>
<BR><FONT SIZE=3D2>ip/hostname of the M$ box you want to deliver the mail.<=
/FONT>
<BR><FONT SIZE=3D2><A HREF=3D"http://cr.yp.to/qmail/faq/outgoing.html#notlo=
cal" TARGET=3D"_blank">http://cr.yp.to/qmail/faq/outgoing.html#notlocal</A>=
</FONT>
</P>

<P><FONT SIZE=3D2>I think you mean Exchange rather than Outlook but what th=
e hell do I know</FONT>
<BR><FONT SIZE=3D2>about M$ anyway.</FONT>
</P>

<P><FONT SIZE=3D2>HTH.</FONT>
<BR><FONT SIZE=3D2>--------------------------------------------------------=
-------------</FONT>
<BR><FONT SIZE=3D2>Demetri Mouratis</FONT>
<BR><FONT SIZE=3D2>dmourati at ...3878...</FONT>
</P>
<BR>
<BR>

<P><FONT SIZE=3D2>-------------------------------------------------------</=
FONT>
<BR><FONT SIZE=3D2>This sf.net email is sponsored by:ThinkGeek</FONT>
<BR><FONT SIZE=3D2>Welcome to geek heaven.</FONT>
<BR><FONT SIZE=3D2><A HREF=3D"http://thinkgeek.com/sf" TARGET=3D"_blank">ht=
tp://thinkgeek.com/sf</A></FONT>
<BR><FONT SIZE=3D2>_______________________________________________</FONT>
<BR><FONT SIZE=3D2>Snort-users mailing list</FONT>
<BR><FONT SIZE=3D2>Snort-users at lists.sourceforge.net</FONT>
<BR><FONT SIZE=3D2>Go to this URL to change user options or unsubscribe:</F=
ONT>
<BR><FONT SIZE=3D2><A HREF=3D"https://lists.sourceforge.net/lists/listinfo/=
snort-users" TARGET=3D"_blank">https://lists.sourceforge.net/lists/listinfo=
/snort-users</A></FONT>
<BR><FONT SIZE=3D2>Snort-users list archive:</FONT>
<BR><FONT SIZE=3D2><A HREF=3D"http://www.geocrawler.com/redir-sf.php3?list=
=3Dsnort-users" TARGET=3D"_blank">http://www.geocrawler.com/redir-sf.php3?l=
ist=3Dsnort-users</A></FONT>
</P>
<BR>
<BR>
<BR>
<BR>

<P><FONT SIZE=3D2>--__--__--</FONT>
</P>

<P><FONT SIZE=3D2>Message: 5</FONT>
<BR><FONT SIZE=3D2>Date: Mon, 6 Oct 2003 15:23:04 -0700</FONT>
<BR><FONT SIZE=3D2>From: "Mike Koponick" <mike at ...7385...><=
/FONT>
<BR><FONT SIZE=3D2>To: <snort-users at lists.sourceforge.net></FONT>
<BR><FONT SIZE=3D2>Subject: [Snort-users] Remote Syslog...</FONT>
</P>

<P><FONT SIZE=3D2>Hello!</FONT>
</P>

<P><FONT SIZE=3D2>I have been trying to configure snort to log to a remote =
syslog server.</FONT>
</P>

<P><FONT SIZE=3D2>I have the remote syslog server setup to accept syslog pa=
ckets (and is</FONT>
<BR><FONT SIZE=3D2>accepting them from the firewall device), but am having =
a problem</FONT>
<BR><FONT SIZE=3D2>getting snort to start.</FONT>
</P>

<P><FONT SIZE=3D2>I consulted 3.20 in the FAQ without any luck.</FONT>
</P>

<P><FONT SIZE=3D2>I'm using 2.0 Snort on Linux 9.0.</FONT>
</P>

<P><FONT SIZE=3D2>Syslog.conf:</FONT>
</P>

<P><FONT SIZE=3D2>auth.alert       &nbsp=
;            &n=
bsp;           &nbsp=
;             @=
console</FONT>
</P>

<P><FONT SIZE=3D2>*********************************************************=
***************</FONT>
<BR><FONT SIZE=3D2>*</FONT>
</P>

<P><FONT SIZE=3D2>Portion of the snort startup file:</FONT>
</P>

<P><FONT SIZE=3D2>       /usr/local/bin/snort=
 -o -z -i eth1 -d -D -c \</FONT>
<BR><FONT SIZE=3D2>/etc/snort/snort.conf -I -A full -s console:514</FONT>
</P>

<P><FONT SIZE=3D2>*********************************************************=
***************</FONT>
<BR><FONT SIZE=3D2>From the /var/log/messages file:</FONT>
</P>

<P><FONT SIZE=3D2>Oct  6 15:07:17 ids1 kernel: eth1: Promiscuous mode =
enabled.</FONT>
<BR><FONT SIZE=3D2>Oct  6 15:07:17 ids1 snort: OpenPcap() device eth1 =
network lookup:</FONT>
<BR><FONT SIZE=3D2>^Ieth1: no IPv4 address assigned</FONT>
<BR><FONT SIZE=3D2>Oct  6 15:07:17 ids1 snort: FATAL ERROR: OpenPcap()=
 FSM compilation</FONT>
<BR><FONT SIZE=3D2>failed:  ^IPCAP command: %s</FONT>
<BR><FONT SIZE=3D2>Oct  6 15:07:17 ids1 snortd: snort startup failed</=
FONT>
</P>

<P><FONT SIZE=3D2>*********************************************************=
***************</FONT>
</P>

<P><FONT SIZE=3D2>Thanks in advance,</FONT>
</P>

<P><FONT SIZE=3D2>Mike</FONT>
</P>

<P><FONT SIZE=3D2> Mike Koponick</FONT>
<BR><FONT SIZE=3D2> RedHawk. - Network Engineering</FONT>
<BR><FONT SIZE=3D2> mike at ...7385...</FONT>
</P>

<P><FONT SIZE=3D2> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</FONT>
</P>

<P><FONT SIZE=3D2>This email and any files transmitted with it are confiden=
tial and</FONT>
<BR><FONT SIZE=3D2>intended solely for the use of the individual or entity =
to whom they are</FONT>
<BR><FONT SIZE=3D2>addressed. If you have received this email in error plea=
se notify</FONT>
<BR><FONT SIZE=3D2> security at ...9202...</FONT>
<BR><FONT SIZE=3D2> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</FONT>
</P>
<BR>
<BR>

<P><FONT SIZE=3D2>--__--__--</FONT>
</P>

<P><FONT SIZE=3D2>Message: 6</FONT>
<BR><FONT SIZE=3D2>Subject: Re: [Snort-users] Snort Kernel Module</FONT>
<BR><FONT SIZE=3D2>From: pieter claassen <pieter at ...9950...></FONT>
<BR><FONT SIZE=3D2>To: Matt Kettler <mkettler at ...4108...></FONT>
<BR><FONT SIZE=3D2>Cc: Josh Berry <josh.berry at ...10221...>,  sno=
rt-users at lists.sourceforge.net</FONT>
<BR><FONT SIZE=3D2>Date: Tue, 07 Oct 2003 00:25:44 +0100</FONT>
</P>

<P><FONT SIZE=3D2>Most points raised I do believe are valid. However, what =
about the</FONT>
<BR><FONT SIZE=3D2>possibilities on embedded devices that don't have any ne=
ed for multi</FONT>
<BR><FONT SIZE=3D2>user environments (separation of kernel and user space)?=
</FONT>
</P>

<P><FONT SIZE=3D2>Pieter</FONT>
</P>

<P><FONT SIZE=3D2>On Mon, 2003-10-06 at 22:07, Matt Kettler wrote:</FONT>
<BR><FONT SIZE=3D2>> At 02:04 PM 10/6/2003, Josh Berry wrote:</FONT>
<BR><FONT SIZE=3D2>> >Are there any projects out there that are tryin=
g to move snort into the</FONT>
<BR><FONT SIZE=3D2>> >Linux kernel, or as a kernel loadable module.&n=
bsp; Would this provide any</FONT>
<BR><FONT SIZE=3D2>> >benefits (security, speed, accuracy)?</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> Speed would be improved somewhat.</FONT>
<BR><FONT SIZE=3D2>> Security would certainly go down very significantly=
 due it increased </FONT>
<BR><FONT SIZE=3D2>> privileges. (ie: a exploit of the snort code would =
now give kernel-mode </FONT>
<BR><FONT SIZE=3D2>> privilege, instead of root or non-root user privile=
ge.)</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> >   Is there any reason this would not=
</FONT>
<BR><FONT SIZE=3D2>> >be possible?</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> It's possible, but IMO that's not the point.</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> >  Would this be incredibly difficult?</FON=
T>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> Yes, it would be difficult as most of the code woul=
d require rewrite to use </FONT>
<BR><FONT SIZE=3D2>> kernel-level memory and IO APIs.</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> Functionality would be limited, since kernel proces=
ses don't really have </FONT>
<BR><FONT SIZE=3D2>> extensive libraries like glibc provides. ie: no mor=
e mysql support for sure.</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> It would also be incredibly foolish from a security=
 prespective and it </FONT>
<BR><FONT SIZE=3D2>> would make snort a linux-specific tool.</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> The kernel should only implement things which belon=
g in the kernel. Moving </FONT>
<BR><FONT SIZE=3D2>> complex user-space processes into the kernel is dan=
gerous and should only </FONT>
<BR><FONT SIZE=3D2>> be done with considerable reason to do so. Unlike a=
n application, if a </FONT>
<BR><FONT SIZE=3D2>> piece of the kernel fails and munges memory, most t=
ime the system goes down </FONT>
<BR><FONT SIZE=3D2>> completely with no graceful shutdown. No disk sync,=
 no nothing.. just oops </FONT>
<BR><FONT SIZE=3D2>> and crash.</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> If an app munges memory, it just segfaults and gets=
 dumped, but the system </FONT>
<BR><FONT SIZE=3D2>> keeps running.</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> Also, code running at the kernel level has signific=
antly more privilege </FONT>
<BR><FONT SIZE=3D2>> than even the root user has. It can touch any memor=
y, or any hardware in </FONT>
<BR><FONT SIZE=3D2>> the entire system without any restrictions. Even ro=
ot has to jump through </FONT>
<BR><FONT SIZE=3D2>> some hoops (ie: loading a module) to do this, and o=
n a well-secured system, </FONT>
<BR><FONT SIZE=3D2>> even root can't load kernel mode code. (yes, I do u=
se grsecurity patches on </FONT>
<BR><FONT SIZE=3D2>> my linux boxes and have no loadable module support.=
)</FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> </FONT>
<BR><FONT SIZE=3D2>> ---------------------------------------------------=
----</FONT>
<BR><FONT SIZE=3D2>> This sf.net email is sponsored by:ThinkGeek</FONT>
<BR><FONT SIZE=3D2>> Welcome to geek heaven.</FONT>
<BR><FONT SIZE=3D2>> <A HREF=3D"http://thinkgeek.com/sf" TARGET=3D"_blan=
k">http://thinkgeek.com/sf</A></FONT>
<BR><FONT SIZE=3D2>> _______________________________________________</FO=
NT>
<BR><FONT SIZE=3D2>> Snort-users mailing list</FONT>
<BR><FONT SIZE=3D2>> Snort-users at lists.sourceforge.net</FONT>
<BR><FONT SIZE=3D2>> Go to this URL to change user options or unsubscrib=
e:</FONT>
<BR><FONT SIZE=3D2>> <A HREF=3D"https://lists.sourceforge.net/lists/list=
info/snort-users" TARGET=3D"_blank">https://lists.sourceforge.net/lists/lis=
tinfo/snort-users</A></FONT>
<BR><FONT SIZE=3D2>> Snort-users list archive:</FONT>
<BR><FONT SIZE=3D2>> <A HREF=3D"http://www.geocrawler.com/redir-sf.php3?=
list=3Dsnort-users" TARGET=3D"_blank">http://www.geocrawler.com/redir-sf.ph=
p3?list=3Dsnort-users</A></FONT>
<BR><FONT SIZE=3D2>-- </FONT>
<BR><FONT SIZE=3D2>pieter claassen <pieter at ...9950...></FONT>
</P>
<BR>
<BR>

<P><FONT SIZE=3D2>--__--__--</FONT>
</P>

<P><FONT SIZE=3D2>Message: 7</FONT>
<BR><FONT SIZE=3D2>Date: Mon, 6 Oct 2003 18:29:36 -0500</FONT>
<BR><FONT SIZE=3D2>From: Mark Nipper <nipsy at ...5072...></FONT>
<BR><FONT SIZE=3D2>To: Josh Berry <josh.berry at ...10221...></FONT>
<BR><FONT SIZE=3D2>Cc: Matt Kettler <mkettler at ...4108...>,</FONT>
<BR>        <FONT SIZE=3D2>snort-users at ...2902...=
ists.sourceforge.net</FONT>
<BR><FONT SIZE=3D2>Subject: Re: [Snort-users] Snort Kernel Module</FONT>
</P>

<P><FONT SIZE=3D2>On 06 Oct 2003, Josh Berry wrote:</FONT>
<BR><FONT SIZE=3D2>> Mostly I need the performance improvements this wou=
ld add.  Where I work</FONT>
<BR><FONT SIZE=3D2>> we have some developers, so the cost wouldn't be an=
 issue.  We would like</FONT>
<BR><FONT SIZE=3D2>> to run a linux Intrusion Prevention System with</FO=
NT>
<BR><FONT SIZE=3D2>> Bridge/Netfilter/Snort-Inline, however, for where w=
e would like to use it,</FONT>
<BR><FONT SIZE=3D2>> we are worried that the system would not be able to=
 handle the traffic.  I</FONT>
<BR><FONT SIZE=3D2>> been using Bridge/Netfilter/Snort-Inline at home no=
w for some time and</FONT>
<BR><FONT SIZE=3D2>> have done some testing, but do not think that it co=
uld handle the load we</FONT>
<BR><FONT SIZE=3D2>> would need.  If we could get it to perform at =
a satisfactory level that</FONT>
<BR><FONT SIZE=3D2>> would allow us to use an open-source solution rathe=
r than pay $20,000 to</FONT>
<BR><FONT SIZE=3D2>> $50,000 for a commercial IPS system.</FONT>
</P>

<P>        <FONT SIZE=3D2>Out of curiosi=
ty, are you using ebtables</FONT>
<BR><FONT SIZE=3D2>(<A HREF=3D"http://ebtables.sourceforge.net/" TARGET=3D"=
_blank">http://ebtables.sourceforge.net/</A>) to do this in the Linux</FONT>
<BR><FONT SIZE=3D2>kernel?  I'm using OpenBSD and Snort currently to d=
o this, but</FONT>
<BR><FONT SIZE=3D2>I'm using Snort passively (not inline) so there is a sec=
ond or so</FONT>
<BR><FONT SIZE=3D2>of delay and some packets do get through.  I was ju=
st wondering</FONT>
<BR><FONT SIZE=3D2>if the ebtables stuff in Linux (netfilter over a bridge)=
 was</FONT>
<BR><FONT SIZE=3D2>actually mostly stable.</FONT>
</P>

<P>        <FONT SIZE=3D2>For what it's =
worth, the biggest issue seems to be how</FONT>
<BR><FONT SIZE=3D2>well the box can hold up based on very small packets per=
 second.</FONT>
<BR><FONT SIZE=3D2>If you can maintain high rates of throughput with very s=
mall</FONT>
<BR><FONT SIZE=3D2>packets, then your box should be a success.  Also, =
gigabit</FONT>
<BR><FONT SIZE=3D2>interfaces tend to perform better under these kinds of l=
oads,</FONT>
<BR><FONT SIZE=3D2>even on 100Mbps connections, so buy some Intel gigabit d=
esktop</FONT>
<BR><FONT SIZE=3D2>adapters and see if it helps.</FONT>
</P>

<P>        <FONT SIZE=3D2>What I'd reall=
y like to see is a box that works fully at</FONT>
<BR><FONT SIZE=3D2>layer 7 like a Packeteer (<A HREF=3D"http://www.packetee=
r.com/" TARGET=3D"_blank">http://www.packeteer.com/</A>) but didn't</FONT>
<BR><FONT SIZE=3D2>cost $25k and actually worked under heavy loads (which o=
ur</FONT>
<BR><FONT SIZE=3D2>Packeteers seem to have problems doing).</FONT>
</P>

<P><FONT SIZE=3D2>-- </FONT>
<BR><FONT SIZE=3D2>Mark Nipper       &nb=
sp;            =
            &nb=
sp;            =
   e-contacts:</FONT>
<BR><FONT SIZE=3D2>Computing and Information Services   &nbs=
p;            &=
nbsp;     nipsy at ...5072...</FONT>
<BR><FONT SIZE=3D2>Texas A&M University     &n=
bsp;           &nbsp=
;      <A HREF=3D"http://ops.tamu.edu/nipsy/" TARG=
ET=3D"_blank">http://ops.tamu.edu/nipsy/</A></FONT>
<BR><FONT SIZE=3D2>College Station, TX 77843-3142     A=
IM/Yahoo: texasnipsy ICQ: 66971617</FONT>
<BR><FONT SIZE=3D2>(979)575-3193       &=
nbsp;           &nbs=
p;            &=
nbsp;     MSN: nipsy at ...5072...</FONT>
</P>

<P><FONT SIZE=3D2>-----BEGIN GEEK CODE BLOCK-----</FONT>
<BR><FONT SIZE=3D2>GG/IT d- s++:+ a-- C++$ UBL+++$ P--->+++ L+++$ E---</=
FONT>
<BR><FONT SIZE=3D2>W++ N+ o K++ w(---) O++ M V(--) PS+++(+) PE(--) Y+</FONT>
<BR><FONT SIZE=3D2>PGP++(+) t 5 X R tv b+++ DI+(++) D+ G e h r++ y+(**)</FO=
NT>
<BR><FONT SIZE=3D2>------END GEEK CODE BLOCK------</FONT>
</P>

<P><FONT SIZE=3D2>---begin random quote of the moment---</FONT>
<BR><FONT SIZE=3D2>"If the fool would persist in his folly he would be=
come wise."</FONT>
<BR><FONT SIZE=3D2> -- one of the Proverbs of Hell from William Blake'=
s _The</FONT>
<BR><FONT SIZE=3D2>    Marraige of Heaven and Hell_, 1789-17=
90</FONT>
<BR><FONT SIZE=3D2>----end random quote of the moment----</FONT>
</P>
<BR>
<BR>

<P><FONT SIZE=3D2>--__--__--</FONT>
</P>

<P><FONT SIZE=3D2>_______________________________________________</FONT>
<BR><FONT SIZE=3D2>Snort-users mailing list</FONT>
<BR><FONT SIZE=3D2>Snort-users at lists.sourceforge.net</FONT>
<BR><FONT SIZE=3D2><A HREF=3D"https://lists.sourceforge.net/lists/listinfo/=
snort-users" TARGET=3D"_blank">https://lists.sourceforge.net/lists/listinfo=
/snort-users</A></FONT>
</P>
<BR>

<P><FONT SIZE=3D2>End of Snort-users Digest</FONT>
</P>

</BODY>
</HTML>=

------_=_NextPart_001_01C38C6E.9D9FE9A0--




More information about the Snort-users mailing list