OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: IDS: kernel implementations
From: John S Flowers (jflowershiverworld.com)
Date: Fri Jul 21 2000 - 00:54:00 CDT

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
-----------------------------------------------------------------------------
At Hiverworld, we're actively working with the OpenBSD team and have
added in kernel support for a Bpf function (called HwBpf) that does
packet filtering in the OpenBSD kernel.

We're also doing some neat tricks to expose the in kernel memory map to
the userland process, which basically means we're sending packet
information (in the form of pointers to structures) directly from the
NIC to a memory segment mapped to userland.

This has proven to be quite useful and is allowing us to achieve
considerable speed beyond the normal libpcap style of performing bpf
calls.

I'm not sure if we're going to release this code back to the OpenBSD
kernel sources, as there's a huge dependency on our own foundation
classes, but we're tossing the idea around and may end up making our
OpenBSD changes publicly available.

In the meantime, you'll have to wait for our IDS solution to be
available before you see a product that uses this technology.

Alternately, I believe there's a Linux based IDS solution called LIDS
that does some of this, but they aren't achieving anywhere near the
speeds we're getting with our OpenBSD modifications.

drellisus.ibm.com wrote:
>
> Archive: http://msgs.securepoint.com/ids
> FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owneruow.edu.au
> NOTE: Remove this section from reply msgs otherwise the msg will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
> -----------------------------------------------------------------------------
>
> All of the applications (and research) that I have seen have put ID in
> a user-level application. Has anybody looked into including ID
> functionality in the kernel?
> _______________
> Dan Ellis
> UC Santa Barbara
> ellisdcs.ucsb.edu
>
> Carpe Diem 

-- 
John S Flowers                   <jflowershiverworld.com>
Core R&D                         http://www.hiverworld.com
Hiverworld, Inc.       Continuous Adaptive Risk Management