Snort mailing list archives
Re: Snort Kernel Module
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Tue, 7 Oct 2003 13:05:41 +1300
On Mon, Oct 06, 2003 at 03:15:58PM -0500, Josh Berry wrote:
Mostly I need the performance improvements this would add. Where I work we have some developers, so the cost wouldn't be an issue. We would like to run a linux Intrusion Prevention System with Bridge/Netfilter/Snort-Inline, however, for where we would like to use it, we are worried that the system would not be able to handle the traffic. I
I think you have to define your problem better then... Is the perf issues with: 1: packet capture 2: processing, or 3: logging? Having a kernel module to do packet capture better than pcap does could fix "1" - but I think most of what pcap relies on comes out of the kernel already - so there isn't that much to gain... "2" or "3" hit security and standard systems issues pretty quickly (I mean, how would a kernel module re-read the config file? HUP ain't gonna work). Typically perf problems with snort are with "3" - logging. Are you exclusively using barnyard, or are you calling syslog/SQL directly from Snort. If so, stop doing that :-) What about I/O and interupt issues? Is your logging going to a different box, or is it on the same box as the IDS. At the top end that makes a difference in performance... As far as "2" goes, what about a faster CPU and more RAM? If you could write a kernel module to do "2", you'd probably find that time could have just as well be spent on improving the code in standard snort instead (no insult intended! Just guessing!!! :-)... No matter what, if you want to do bridging, filtering and snort-inline on the same box, then that box is going to have to be pretty grunty, and the HARDWARE you choose will have to be pretty-well hand-picked for the task... e.g choice of Ethernet cards makes a big difference... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Kernel Module Josh Berry (Oct 06)
- Message not available
- Re: Snort Kernel Module Matt Kettler (Oct 06)
- Re: Snort Kernel Module Josh Berry (Oct 06)
- Re: Snort Kernel Module Mark Nipper (Oct 06)
- Re: Snort Kernel Module Jason Haar (Oct 06)
- Re: Snort Kernel Module pieter claassen (Oct 06)
- Re: Snort Kernel Module Josh Berry (Oct 06)
- Re: Snort Kernel Module Matt Kettler (Oct 06)
- Message not available
- <Possible follow-ups>
- Re: Snort Kernel Module Ravi Kumar (Oct 06)
- Re: Snort Kernel Module Dragos Ruiu (Oct 07)
- Re: Snort Kernel Module pieter claassen (Oct 07)
- Re: Snort Kernel Module Dragos Ruiu (Oct 07)