Re: Snort Kernel Module

["Josh Berry" <josh.berry () netschematics com>]

Running on an embedded device is my intention.  I should have made that
clear.  There are several linux compatible soho type devices that you can
run a kernel on, I can already run the linux firewall but it would be nice
to be able to run the linux kernel also.

> Most points raised I do believe are valid. However, what about the
> possibilities on embedded devices that don't have any need for multi
> user environments (separation of kernel and user space)?
>
> Pieter
>
> On Mon, 2003-10-06 at 22:07, Matt Kettler wrote:
> > At 02:04 PM 10/6/2003, Josh Berry wrote:
> > > Are there any projects out there that are trying to move snort into the
> > > Linux kernel, or as a kernel loadable module.  Would this provide any
> > > benefits (security, speed, accuracy)?
> >
> > Speed would be improved somewhat.
> > Security would certainly go down very significantly due it increased
> > privileges. (ie: a exploit of the snort code would now give kernel-mode
> > privilege, instead of root or non-root user privilege.)
> >
> > >   Is there any reason this would not
> > > be possible?
> >
> > It's possible, but IMO that's not the point.
> >
> > >  Would this be incredibly difficult?
> >
> > Yes, it would be difficult as most of the code would require rewrite to
> > use
> > kernel-level memory and IO APIs.
> >
> > Functionality would be limited, since kernel processes don't really have
> > extensive libraries like glibc provides. ie: no more mysql support for
> > sure.
> >
> > It would also be incredibly foolish from a security prespective and it
> > would make snort a linux-specific tool.
> >
> > The kernel should only implement things which belong in the kernel.
> > Moving
> > complex user-space processes into the kernel is dangerous and should
> > only
> > be done with considerable reason to do so. Unlike an application, if a
> > piece of the kernel fails and munges memory, most time the system goes
> > down
> > completely with no graceful shutdown. No disk sync, no nothing.. just
> > oops
> > and crash.
> >
> > If an app munges memory, it just segfaults and gets dumped, but the
> > system
> > keeps running.
> >
> > Also, code running at the kernel level has significantly more privilege
> > than even the root user has. It can touch any memory, or any hardware in
> > the entire system without any restrictions. Even root has to jump
> > through
> > some hoops (ie: loading a module) to do this, and on a well-secured
> > system,
> > even root can't load kernel mode code. (yes, I do use grsecurity patches
> > on
> > my linux boxes and have no loadable module support.)
> >
> >
> >
> >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by:ThinkGeek
> > Welcome to geek heaven.
> > http://thinkgeek.com/sf
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> --
> pieter claassen <pieter () countersnipe com>





-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users