Re: [Netadm-devel] hi il-eok hwang [everyone readme please]
Status: Beta
Brought to you by:
linuxpark
Menu
▾
▴
Re: [Netadm-devel] hi il-eok hwang [everyone readme please]
|
From: il-eok h. <ie...@gm...> - 2006-03-09 05:21:24
|
hi jeho-park
Did you have a lunch?? yesterday i did work for LAC all the night through.
so i am fatigue.
anyway..
jeho-park wrote:
i can't sure what is the best solution, but i think it may be
dependent on network
environment (gateway.. or sensor mode) and system performances. i
suggest that before starting
design, we should talk about this.because it is not easy to remake
the frame,
sure, i think so. thanks for your concern.
maybe you have some misunderstanding for my mail. currenty i use zebra for
dynamic routing in my company's project. as i think, gwc's cli is better
than zebra's cli. ^.^*~~
once more, thanks for your concern.
haver a nice day~~
2006/3/9, jeho-park <lin...@gm...>:
>
> hi il-eok
>
> can you please cc net...@li... address whenever you send
> email ^-^
>
> il-eok hwang wrote:
>
> Hi, jeho park and everyone~~
>
> Sorry, My work's results are not mine but my company. and I did leave my
> company one month ago.
> So i will give you any doc currently.
>
>
> yes i understand, and i hope you to share some doc without breaking the
> license with your past company.
>
> As you know, Snort Inline use netfilter target called IP_QUEUE.
> and IP_QUEUE used netlink. i think these are not good solution.
> How about you??
>
>
> last year, i heard that snort supports netfilter target. but i didn't
> check it or know more than that.
> from reading your letter, i realized the target is IP_QUEUE.
>
> i can't sure what is the best solution, but i think it may be dependent o=
n
> network environment(gateway.. or sensor mode) and system performances. =
i
> suggest that before starting design, we should talk about this.
> because it is not easy to remake the frame,
>
> you said to me as below.
> i can imagine that there might be so many changes was needed to port
> snort to kernel layer.
> but i wonder all of snort code was really needed to port to the kerne=
l
> layer?
> if so, what is the main motive of this porting ?
> is it for more better performance of checking network packet ? ( i
> assume you might throw away
> current libpcap(premiscuous) concerned code of snort then you must
> have replaced that with
> netfilter hook )
>
> it's a good solution. but as i think, mbuf is better than libpcap. some
> IDS were developed with
> zero copy tech in Linux.
>
> TODO.
> - intrusion detection point in kernel : preprocessor & pattern matching
> engine
> - packet drop by rule
> - use conf file and rule file in user land.
> - ....
>
> recently, i works for developing L2TP - LAC, LNS. there are some bugs in
> rp-l2tp & zebra,
> so i will catch the bugs. after fixing-maybe 4days, i will check the
> current our project's source
> codes.
>
>
>
> i recommand this document.
> http://netadm.sourceforge.net/devel_netadm_ko.txt especially chapter 3,4=
,
> 5
>
> i think you dont have to understand all of our code but the interface
> which let you make your cli command
>
> i know zebra interface is not bad.. and used globaly.. but our cli
> interface more simple, and easy to build
>
> and make your cli command exported GUI interface. check
> "include/confproc.h" and gwclib/conftab.c
>
> gwclib/confproc.c
>
> bye ~
>
> see you later~~
>
> 2006/3/8, jeho-park <lin...@gm...>:
> >
> > hi il-eok
> >
> >
> > il-eok hwang wrote:
> >
> > Hi, jeho park and everyone~~
> >
> > first, sorry for my poor english.
> >
> > as i think, i quite agree with you and i hope to help our project about
> > the field of IPS( DPI ).
> > if my opinion will be established, i wll make a document about DPI.
> >
> > there are some problems in porting SNORT to kernel. see below.
> > - memory
> > - rule
> > - log
> > - etc
> >
> >
> > that's great ! if you make it with korean, i will help to translate
> > this document into english.
> >
> > through reading your letter, i become excited ^--^ and have so many
> > question.
> >
> > i can imagine that there might be so many changes was needed to port
> > snort to kernel layer.
> > but i wonder all of snort code was really needed to port to the kernel
> > layer?
> > if so, what is the main motive of this porting ?
> > is it for more better performance of checking network packet ? ( i
> > assume you might throw away
> > current libpcap(premiscuous) concerned code of snort then you must have
> > replaced that with netfilter hook )
> >
> > i think as you replaced libpcap with netfilter hook, you could check
> > all network packet without packet loss.
> > but i wonder as a result of that, how did you lost system performance o=
r
> > network throughput
> > i want to know about this point because you already have done this test=
.
> >
> >
> > 6 months ago, i did port to kernel with netfilter.
> > recently, i make a new kernel hook, so i will port SNORT with a my
> > hook instead of netfilter.
> >
> > have a nice day ^.^*~~
> >
> >
> >
> > from my knowledge, current netfilter hook is ranged from ethernet layer
> > to IP layer..
> > did you mean your hook covers TCP. UDP layer ?
> > i will wait your reply.
> >
> > if it is possible, please let us show the framework as a form of figure
> > which you had done 6 month ago,
> > and current design. they must be very interesting. and i am sure
> > everyone want to know about that ^---^
> >
> >
> > p.s:
> > since i start this project,
> > i have thought that current pf.c will receive the last alarm from snort
> > or other IDS sensor,
> > so pf , as a result of receving alarm, will drop a specifed source host
> > or control traffic of suspicious host.
> > but during reading your letter, i think you already have done it. isn't
> > it ?
> > if so, i don't mind throwing away my design. then i can more concentrat=
e
> > my energy only to "flow control" ^--^
> >
> > regards
> > jeh park
> >
> >
> >
> > 2006/3/8, jeho-park <lin...@gm...>:
> > >
> > >
> > > hi il-eok
> > > glad to meet you through this mailling list.
> > >
> > > i read your mail, so i thought you have good career about security
> > > i expect you to help our project about the field of QoS or IPS.
> > >
> > > most of all, i wonder how did you ported snort to the network stack o=
f
> > > linux.
> > >
> > > todays, george and kwan-kyung is also researching about that. so i
> > > hope
> > > you to share your knowledge with them.
> > >
> > > regards
> > > jeho park
> > >
> > >
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This SF.Net email is sponsored by xPML, a groundbreaking scripting
> > > language
> > > that extends applications into web and mobile media. Attend the live
> > > webcast
> > > and join the prime developer group breaking into this new coding
> > > territory!
> > >
> > > http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D110944&bid=3D241720&d=
at=3D121642
> > > _______________________________________________
> > > Netadm-devel mailing list
> > > Net...@li...
> > > https://lists.sourceforge.net/lists/listinfo/netadm-devel
> > >
> >
> >
> >
>
>
|
