Intrusion Detection Systems mailing list archives
Re: kernel implementations
From: robert_david_graham () yahoo com (Robert Graham)
Date: Fri, 21 Jul 2000 12:51:59 -0700 (PDT)
Archive: http://msgs.securepoint.com/ids FAQ: http://www.ticm.com/kb/faq/idsfaq.html IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au --- Dug Song <dugsong () monkey org> wrote:
On Thu, 20 Jul 2000, John S Flowers wrote:Alternately, I believe there's a Linux based IDS solution called LIDS that does some of this, but they aren't achieving anywhere near the speeds we're getting with our OpenBSD modifications.LIDS does nothing of the sort, actually. they're focusing on providing kernel audit facilities, finer-grained access controls, and an analog to BSD securelevels. you're probably thinking of Alexey Kuznetsov's "turbopacket" kernel patch for Linux:
For network-IDS, it doesn't really make sense to have a "kernel" implementation. TUX (a kernel web server) uses kernel services such as file I/O, thread/process switching, and the TCP/IP stack. In contrast, the only OS service network-IDS uses is packet capture. Moreover, the "packet capture" is only related to the networking drivers and has no relationship to the TCP/IP stack. A "kernel" implementation of network-IDS is really just a dedicated device driver for packet capture. An example of a "kernel" implementation would be the Full-Duplex version of BlackICE Sentry under WinNT. It handles its own packet-capture, removing that last tie to the OS. Like TUX, it puts the simple but high-performance bits into the kernel/driver, and leaves the complex bits in user mode. This means the packet capture driver (30k) is in kernel space and the signature analysis (600k) is in user space. But it is innaccurate to think of this as a "kernel-mode" implementation because it has zero disk access, no IO, no process switching, no TCP/IP stack, etc. The OS at this point becomes simply a program-loader. In other words, if you want to put together a system for network-IDS, you should probably go for the system that performs well in SPECint rather than SPECweb. __________________________________________________ Do You Yahoo!? Get Yahoo! Mail Free email you can access from anywhere! http://mail.yahoo.com/
Current thread:
- kernel implementations drellis () us ibm com (Jul 20)
- Re: kernel implementations John S Flowers (Jul 20)
- Re: kernel implementations Dug Song (Jul 21)
- Re: kernel implementations John S Flowers (Jul 21)
- Re: kernel implementations Dug Song (Jul 21)
- RE: kernel implementations drellis () us ibm com (Jul 21)
- <Possible follow-ups>
- Re: kernel implementations drellis () us ibm com (Jul 21)
- Re: kernel implementations Robert Graham (Jul 21)
- Re: kernel implementations Dug Song (Jul 21)
- Re: kernel implementations mht () clark net (Jul 22)
- Re: kernel implementations Dug Song (Jul 22)
- Re: kernel implementations mht () clark net (Jul 22)
- Re: kernel implementations Marcus J. Ranum (Jul 24)
- Re: kernel implementations John S Flowers (Jul 23)
- Re: kernel implementations Martin Roesch (Jul 25)
- Re: kernel implementations (Target based IDS comments and questions) Ron Gula (Jul 25)
- Re: kernel implementations Allen Leibowitz (Jul 25)
- Re: kernel implementations John S Flowers (Jul 20)