Re: [Netadm-devel] hi il-eok hwang [everyone readme please]

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

hi il-eok

il-eok hwang wrote:

> Hi, jeho park and everyone~~
>  
> first, sorry for my poor english.
>  
> as i think, i quite agree with you and i hope to help our project 
> about the field of IPS( DPI ).
> if my opinion will be established, i wll make a document about DPI.
>  
> there are some problems in porting SNORT to kernel. see below.
>     - memory
>     - rule
>     - log
>     - etc

that's great !  if you make it with korean, i will help to translate 
this document into english.

through reading your letter,  i become  excited ^--^ and have so many 
question.

i can imagine that there might be so many changes was needed to port 
snort to kernel layer.
but i wonder all of snort code was really needed to port to the kernel 
layer?
if so, what is the main motive of this porting ?
is it for more better performance of checking network packet ? ( i 
assume you might throw away
current libpcap(premiscuous) concerned code of snort then you must have 
replaced that with netfilter hook )

i think  as you replaced libpcap with netfilter hook, you could check 
all network packet without packet loss.
but i wonder as a result of that, how did you lost system performance or 
network throughput
i want to know about this point because you already have done this test.

>  
> 6 months ago, i did port to kernel with netfilter.
> recently, i make a new kernel hook, so i will port SNORT with a my
> hook instead of netfilter.
>  
> have a nice day  ^.^*~~
>
from my knowledge, current netfilter hook is ranged from ethernet layer 
to IP layer..
did you mean your hook covers TCP. UDP layer ?
i will wait your reply.

if it is possible, please let us show the framework as a form of figure 
which you had done 6 month ago,
and current design.  they must be very interesting. and i am sure 
everyone want to know about that ^---^

p.s: 
since i start this project,
i have thought that current pf.c will receive the last alarm from snort 
or other IDS sensor,
so pf , as a result of receving alarm, will drop a specifed source host 
or  control traffic of suspicious host.
but during reading your letter, i think you already have done it. isn't 
it ?
if so, i don't mind throwing away my design. then i can more concentrate 
my energy only to "flow control" ^--^

regards
jeh park

>  
> 2006/3/8, jeho-park <lin...@gm... 
> <mailto:lin...@gm...>>:
>
>
>     hi il-eok
>     glad to meet you through this mailling list.
>
>     i read your mail, so i thought you have good career about security
>     i expect you to help our project about the field of QoS or IPS.
>
>     most of all, i wonder how did you ported snort to the network stack of
>     linux.
>
>     todays, george and kwan-kyung is also researching about that. so i
>     hope
>     you to share your knowledge with them.
>
>     regards
>     jeho park
>
>
>
>
>
>     -------------------------------------------------------
>     This SF.Net email is sponsored by xPML, a groundbreaking scripting
>     language
>     that extends applications into web and mobile media. Attend the
>     live webcast
>     and join the prime developer group breaking into this new coding
>     territory!
>     http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
>     <http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642>
>     _______________________________________________
>     Netadm-devel mailing list
>     Net...@li...
>     <mailto:Net...@li...>
>     https://lists.sourceforge.net/lists/listinfo/netadm-devel
>
>