Re: kernel implementations

[jflowers () hiverworld com (John S Flowers)]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
Dug:  Right you are.  I was absolutely thinking of turbopacket and not
LIDS.  Then again, I'm not even remotely a Linux user and am only
familiar with Linux up until the '98 time frame (I've been an OpenBSD
user since then) so I'm bound to make mistakes when it comes to that
platform. ;)

Otherwise, I wanted to mention a few additional details in answer to
some of the questions that were raised in earlier posts.

First and foremost, I may have mispoke when mentioning that we pass
pointers around that point to the NICs memory.  What we're actually
doing is copying the packet from the NIC to a kernel mapped memory
segment that is exposed to userland.  This allows us to read all of the
packet information from a shared memory location either by the kernel or
by the userland application.

Imagine:

NIC -> copy by kernel to memory map <- available to userland

The speeds we're getting are tough to measure without having everyone
one this list scream that we're either "cooking our results" or similar,
but I will say this:  on a P3/700 (coppermine) using the SysKonnect
SK-9843 (recommended to us by Theo) with 128M of RAM we're seeing ~300
Mbps [sustained].

This includes the decoder and the defragmentation routines, but doesn't
include all of the detection engine.  We're not expecting the full
detection engine to cause us to lose more than 50-75 Mbps based on our
initial testing, but we've not put the system through the QA process
w/everything turned on yet.  (so, please don't start screaming about how
much BS this is until I post the final results w/the detection engine
turned on... thanks).

We're also just testing the speed by running things like netperf from HP
or tcpreplay against a Cisco 3000 series switch where all the ports are
spanned to a single GBIC interface that's connected to the SK.  In the
case of netperf, there's a client and a server -- actually creating
connections & sending data back and forth -- but the tcpreplay stuff is
just blasting packets.  When I say 300 Mbps, I am speaking of netperf
and TCP connections, not tcpreplay.

Lastly, I'd like to encourage other people on this list to toss out some
of the numbers that they are seeing (in real world environments) using
either 100 Mbit or multiple 100 Mbit systems behind a load balancer. 
We're having a lot of trouble getting real data out of the vendors. ;)

We'll eventually end up asking a 3rd party to do some independant
benchmarking before this is all finished and I'll be more than happy to
post the results to this list.

P.S.  Marty Roesch (the guy who wrote snort) is working on and can
elaborate more on the detection engine for this system.

Dug Song wrote:
> Archive: http://msgs.securepoint.com/ids
> FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owner () uow edu au
> NOTE: Remove this section from reply msgs otherwise the msg will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
> -----------------------------------------------------------------------------
> On Thu, 20 Jul 2000, John S Flowers wrote:
>
> > Alternately, I believe there's a Linux based IDS solution called LIDS
> > that does some of this, but they aren't achieving anywhere near the
> > speeds we're getting with our OpenBSD modifications.
>
> LIDS does nothing of the sort, actually. they're focusing on providing
> kernel audit facilities, finer-grained access controls, and an analog to
> BSD securelevels.
>
> you're probably thinking of Alexey Kuznetsov's "turbopacket" kernel
> patch for Linux:
>
> http://www.tux.org/pub/net/ip-routing/lbl-tools/http://www.tux.org/pub/net/ip-routing/lbl-tools/http://www.tux.org/pub/net/ip-routing/lbl-tools/kernel-turbopacket.dif.gz
>
> -d.
>
> ---
> http://www.monkey.org/~dugsong/

-- 
John S Flowers                     <jflowers () hiverworld com>
Core R&D                           http://www.hiverworld.com
Hiverworld, Inc.         Continuous Adaptive Risk Management