Re: new article about snort

[cpw () lanl gov (Phil Wood)]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
Good article.  However, I noticed the commentary:

"Unfortunately, snort cannot provide packet loss statistics under Linux
 but is able to do so under both FreeBSD and Solaris."  

There are even special ifdef's in various libpcap based sources that point
out the inferiority of linux over other OS's in regards to this.  

Alexey Kuznetsov made it possible to extract a dropped packet count on linux
using a system kernel configured with option CONFIG_PACKET_MMAP in conjunction
with a modified linux-pcap.c.  This permits the use of a ring buffer using
shared memory which allows the libpcap based program to peruse packets
on a ring  while the kernel puts them on the ring if there is space.
A simple flag  cleared by the application and set by the kernel for each
packet slot allows for management of the ring.  If a program is not able
to keep up, then the kernel will start decrementing a drop count.  A BPF
filter set by the application is used by the kernel to decide whether the
packet should be put on the ring.

Just thought I'd let you know that at this stage in Linux development
a drop count is available if you go to a little trouble.

Thanks,

-- 
Phil Wood, cpw () lanl gov