Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Intrusion Detection Systems mailing list archives

Re: kernel implementations
From: jflowers () hiverworld com (John S Flowers)
Date: Thu, 20 Jul 2000 22:54:00 -0700

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
At Hiverworld, we're actively working with the OpenBSD team and have
added in kernel support for a Bpf function (called HwBpf) that does
packet filtering in the OpenBSD kernel.  

We're also doing some neat tricks to expose the in kernel memory map to
the userland process, which basically means we're sending packet
information (in the form of pointers to structures) directly from the
NIC to a memory segment mapped to userland.

This has proven to be quite useful and is allowing us to achieve
considerable speed beyond the normal libpcap style of performing bpf
calls.

I'm not sure if we're going to release this code back to the OpenBSD
kernel sources, as there's a huge dependency on our own foundation
classes, but we're tossing the idea around and may end up making our
OpenBSD changes publicly available.

In the meantime, you'll have to wait for our IDS solution to be
available before you see a product that uses this technology.

Alternately, I believe there's a Linux based IDS solution called LIDS
that does some of this, but they aren't achieving anywhere near the
speeds we're getting with our OpenBSD modifications.

drellis () us ibm com wrote:


Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------

    All of the applications (and research) that I have seen have put ID in
a user-level application.  Has anybody looked into including ID
functionality in the kernel?
_______________
Dan Ellis
UC Santa Barbara
ellisd () cs ucsb edu

Carpe Diem


-- 
John S Flowers                   <jflowers () hiverworld com>
Core R&D                         http://www.hiverworld.com
Hiverworld, Inc.       Continuous Adaptive Risk Management

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]