Snort mailing list archives

Re: Snort Kernel Module

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 06 Oct 2003 17:07:10 -0400

At 02:04 PM 10/6/2003, Josh Berry wrote:

Are there any projects out there that are trying to move snort into the
Linux kernel, or as a kernel loadable module.  Would this provide any
benefits (security, speed, accuracy)?


Speed would be improved somewhat.

Security would certainly go down very significantly due it increasedprivileges. (ie: a exploit of the snort code would now give kernel-modeprivilege, instead of root or non-root user privilege.)

  Is there any reason this would not
be possible?


It's possible, but IMO that's not the point.

 Would this be incredibly difficult?

Yes, it would be difficult as most of the code would require rewrite to usekernel-level memory and IO APIs.

Functionality would be limited, since kernel processes don't really haveextensive libraries like glibc provides. ie: no more mysql support for sure.

It would also be incredibly foolish from a security prespective and itwould make snort a linux-specific tool.

The kernel should only implement things which belong in the kernel. Movingcomplex user-space processes into the kernel is dangerous and should onlybe done with considerable reason to do so. Unlike an application, if apiece of the kernel fails and munges memory, most time the system goes downcompletely with no graceful shutdown. No disk sync, no nothing.. just oopsand crash.

If an app munges memory, it just segfaults and gets dumped, but the systemkeeps running.

Also, code running at the kernel level has significantly more privilegethan even the root user has. It can touch any memory, or any hardware inthe entire system without any restrictions. Even root has to jump throughsome hoops (ie: loading a module) to do this, and on a well-secured system,even root can't load kernel mode code. (yes, I do use grsecurity patches onmy linux boxes and have no loadable module support.)







-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort Kernel Module Josh Berry (Oct 06)
- Message not available
  - Re: Snort Kernel Module Matt Kettler (Oct 06)
    - Re: Snort Kernel Module Josh Berry (Oct 06)
    - Re: Snort Kernel Module Mark Nipper (Oct 06)
    - Re: Snort Kernel Module Jason Haar (Oct 06)
    - Re: Snort Kernel Module pieter claassen (Oct 06)
    - Re: Snort Kernel Module Josh Berry (Oct 06)
- portscan traffic & acid wb (Nov 07)
- <Possible follow-ups>
- Re: Snort Kernel Module Ravi Kumar (Oct 06)
  - Re: Snort Kernel Module Dragos Ruiu (Oct 07)
    - Re: Snort Kernel Module pieter claassen (Oct 07)