Snort mailing list archives
Re: Snort Kernel Module
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 06 Oct 2003 17:07:10 -0400
At 02:04 PM 10/6/2003, Josh Berry wrote:
Are there any projects out there that are trying to move snort into the Linux kernel, or as a kernel loadable module. Would this provide any benefits (security, speed, accuracy)?
Speed would be improved somewhat.Security would certainly go down very significantly due it increased privileges. (ie: a exploit of the snort code would now give kernel-mode privilege, instead of root or non-root user privilege.)
Is there any reason this would not be possible?
It's possible, but IMO that's not the point.
Would this be incredibly difficult?
Yes, it would be difficult as most of the code would require rewrite to use kernel-level memory and IO APIs.
Functionality would be limited, since kernel processes don't really have extensive libraries like glibc provides. ie: no more mysql support for sure.
It would also be incredibly foolish from a security prespective and it would make snort a linux-specific tool.
The kernel should only implement things which belong in the kernel. Moving complex user-space processes into the kernel is dangerous and should only be done with considerable reason to do so. Unlike an application, if a piece of the kernel fails and munges memory, most time the system goes down completely with no graceful shutdown. No disk sync, no nothing.. just oops and crash.
If an app munges memory, it just segfaults and gets dumped, but the system keeps running.
Also, code running at the kernel level has significantly more privilege than even the root user has. It can touch any memory, or any hardware in the entire system without any restrictions. Even root has to jump through some hoops (ie: loading a module) to do this, and on a well-secured system, even root can't load kernel mode code. (yes, I do use grsecurity patches on my linux boxes and have no loadable module support.)
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Kernel Module Josh Berry (Oct 06)
- Message not available
- Re: Snort Kernel Module Matt Kettler (Oct 06)
- Re: Snort Kernel Module Josh Berry (Oct 06)
- Re: Snort Kernel Module Mark Nipper (Oct 06)
- Re: Snort Kernel Module Jason Haar (Oct 06)
- Re: Snort Kernel Module pieter claassen (Oct 06)
- Re: Snort Kernel Module Josh Berry (Oct 06)
- Re: Snort Kernel Module Matt Kettler (Oct 06)
- Message not available
- <Possible follow-ups>
- Re: Snort Kernel Module Ravi Kumar (Oct 06)
- Re: Snort Kernel Module Dragos Ruiu (Oct 07)
- Re: Snort Kernel Module pieter claassen (Oct 07)
- Re: Snort Kernel Module Dragos Ruiu (Oct 07)