Thread: [Netadm-devel] hi il-eok hwang
Status: Beta
Brought to you by:
linuxpark
Menu
▾
▴
netadm-devel
|
From: jeho-park <lin...@gm...> - 2006-03-07 16:25:14
|
hi il-eok glad to meet you through this mailling list. i read your mail, so i thought you have good career about security i expect you to help our project about the field of QoS or IPS. most of all, i wonder how did you ported snort to the network stack of linux. todays, george and kwan-kyung is also researching about that. so i hope you to share your knowledge with them. regards jeho park |
|
From: jeho-park <lin...@gm...> - 2006-03-08 12:22:47
|
hi il-eok il-eok hwang wrote: > Hi, jeho park and everyone~~ > > first, sorry for my poor english. > > as i think, i quite agree with you and i hope to help our project > about the field of IPS( DPI ). > if my opinion will be established, i wll make a document about DPI. > > there are some problems in porting SNORT to kernel. see below. > - memory > - rule > - log > - etc that's great ! if you make it with korean, i will help to translate this document into english. through reading your letter, i become excited ^--^ and have so many question. i can imagine that there might be so many changes was needed to port snort to kernel layer. but i wonder all of snort code was really needed to port to the kernel layer? if so, what is the main motive of this porting ? is it for more better performance of checking network packet ? ( i assume you might throw away current libpcap(premiscuous) concerned code of snort then you must have replaced that with netfilter hook ) i think as you replaced libpcap with netfilter hook, you could check all network packet without packet loss. but i wonder as a result of that, how did you lost system performance or network throughput i want to know about this point because you already have done this test. > > 6 months ago, i did port to kernel with netfilter. > recently, i make a new kernel hook, so i will port SNORT with a my > hook instead of netfilter. > > have a nice day ^.^*~~ > from my knowledge, current netfilter hook is ranged from ethernet layer to IP layer.. did you mean your hook covers TCP. UDP layer ? i will wait your reply. if it is possible, please let us show the framework as a form of figure which you had done 6 month ago, and current design. they must be very interesting. and i am sure everyone want to know about that ^---^ p.s: since i start this project, i have thought that current pf.c will receive the last alarm from snort or other IDS sensor, so pf , as a result of receving alarm, will drop a specifed source host or control traffic of suspicious host. but during reading your letter, i think you already have done it. isn't it ? if so, i don't mind throwing away my design. then i can more concentrate my energy only to "flow control" ^--^ regards jeh park > > 2006/3/8, jeho-park <lin...@gm... > <mailto:lin...@gm...>>: > > > hi il-eok > glad to meet you through this mailling list. > > i read your mail, so i thought you have good career about security > i expect you to help our project about the field of QoS or IPS. > > most of all, i wonder how did you ported snort to the network stack of > linux. > > todays, george and kwan-kyung is also researching about that. so i > hope > you to share your knowledge with them. > > regards > jeho park > > > > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting > language > that extends applications into web and mobile media. Attend the > live webcast > and join the prime developer group breaking into this new coding > territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > <http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642> > _______________________________________________ > Netadm-devel mailing list > Net...@li... > <mailto:Net...@li...> > https://lists.sourceforge.net/lists/listinfo/netadm-devel > > |
|
From: jeho-park <lin...@gm...> - 2006-03-09 04:35:06
|
hi il-eok can you please cc net...@li... address whenever you send email ^-^ il-eok hwang wrote: > Hi, jeho park and everyone~~ > > Sorry, My work's results are not mine but my company. and I did leave > my company one month ago. > So i will give you any doc currently. > yes i understand, and i hope you to share some doc without breaking the license with your past company. > As you know, Snort Inline use netfilter target called IP_QUEUE. > and IP_QUEUE used netlink. i think these are not good solution. > How about you?? > last year, i heard that snort supports netfilter target. but i didn't check it or know more than that. from reading your letter, i realized the target is IP_QUEUE. i can't sure what is the best solution, but i think it may be dependent on network environment(gateway.. or sensor mode) and system performances. i suggest that before starting design, we should talk about this. because it is not easy to remake the frame, > you said to me as below. > i can imagine that there might be so many changes was needed to > port snort to kernel layer. > but i wonder all of snort code was really needed to port to the > kernel layer? > if so, what is the main motive of this porting ? > is it for more better performance of checking network packet ? ( i > assume you might throw away > current libpcap(premiscuous) concerned code of snort then you must > have replaced that with > netfilter hook ) > > it's a good solution. but as i think, mbuf is better than libpcap. > some IDS were developed with > zero copy tech in Linux. > > TODO. > - intrusion detection point in kernel : preprocessor & pattern > matching engine > - packet drop by rule > - use conf file and rule file in user land. > - .... > > recently, i works for developing L2TP - LAC, LNS. there are some bugs > in rp-l2tp & zebra, > so i will catch the bugs. after fixing-maybe 4days, i will check the > current our project's source > codes. > i recommand this document. http://netadm.sourceforge.net/devel_netadm_ko.txt especially chapter 3,4, 5 i think you dont have to understand all of our code but the interface which let you make your cli command i know zebra interface is not bad.. and used globaly.. but our cli interface more simple, and easy to build and make your cli command exported GUI interface. check "include/confproc.h" and gwclib/conftab.c gwclib/confproc.c bye ~ > see you later~~ > > 2006/3/8, jeho-park <lin...@gm... > <mailto:lin...@gm...>>: > > hi il-eok > > > il-eok hwang wrote: > >> Hi, jeho park and everyone~~ >> >> first, sorry for my poor english. >> >> as i think, i quite agree with you and i hope to help our project >> about the field of IPS( DPI ). >> if my opinion will be established, i wll make a document about DPI. >> >> there are some problems in porting SNORT to kernel. see below. >> - memory >> - rule >> - log >> - etc >> > > that's great ! if you make it with korean, i will help to > translate this document into english. > > through reading your letter, i become excited ^--^ and have so > many question. > > i can imagine that there might be so many changes was needed to > port snort to kernel layer. > but i wonder all of snort code was really needed to port to the > kernel layer? > if so, what is the main motive of this porting ? > is it for more better performance of checking network packet ? ( i > assume you might throw away > current libpcap(premiscuous) concerned code of snort then you must > have replaced that with netfilter hook ) > > i think as you replaced libpcap with netfilter hook, you could > check all network packet without packet loss. > but i wonder as a result of that, how did you lost system > performance or network throughput > i want to know about this point because you already have done this > test. > >> >> 6 months ago, i did port to kernel with netfilter. >> recently, i make a new kernel hook, so i will port SNORT with a my >> hook instead of netfilter. >> >> have a nice day ^.^*~~ >> >> > > from my knowledge, current netfilter hook is ranged from ethernet > layer to IP layer.. > did you mean your hook covers TCP. UDP layer ? > i will wait your reply. > > if it is possible, please let us show the framework as a form of > figure which you had done 6 month ago, > and current design. they must be very interesting. and i am sure > everyone want to know about that ^---^ > > > p.s: > since i start this project, > i have thought that current pf.c will receive the last alarm from > snort or other IDS sensor, > so pf , as a result of receving alarm, will drop a specifed source > host or control traffic of suspicious host. > but during reading your letter, i think you already have done it. > isn't it ? > if so, i don't mind throwing away my design. then i can more > concentrate my energy only to "flow control" ^--^ > > regards > jeh park > > >> >> 2006/3/8, jeho-park <lin...@gm... >> <mailto:lin...@gm...>>: >> >> >> hi il-eok >> glad to meet you through this mailling list. >> >> i read your mail, so i thought you have good career about >> security >> i expect you to help our project about the field of QoS or IPS. >> >> most of all, i wonder how did you ported snort to the network >> stack of >> linux. >> >> todays, george and kwan-kyung is also researching about that. >> so i hope >> you to share your knowledge with them. >> >> regards >> jeho park >> >> >> >> >> >> ------------------------------------------------------- >> This SF.Net email is sponsored by xPML, a groundbreaking >> scripting language >> that extends applications into web and mobile media. Attend >> the live webcast >> and join the prime developer group breaking into this new >> coding territory! >> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 >> <http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642> >> _______________________________________________ >> Netadm-devel mailing list >> Net...@li... >> <mailto:Net...@li...> >> https://lists.sourceforge.net/lists/listinfo/netadm-devel >> <https://lists.sourceforge.net/lists/listinfo/netadm-devel> >> >> > > |
|
From: il-eok h. <ie...@gm...> - 2006-03-09 05:21:24
|
hi jeho-park
Did you have a lunch?? yesterday i did work for LAC all the night through.
so i am fatigue.
anyway..
jeho-park wrote:
i can't sure what is the best solution, but i think it may be
dependent on network
environment (gateway.. or sensor mode) and system performances. i
suggest that before starting
design, we should talk about this.because it is not easy to remake
the frame,
sure, i think so. thanks for your concern.
maybe you have some misunderstanding for my mail. currenty i use zebra for
dynamic routing in my company's project. as i think, gwc's cli is better
than zebra's cli. ^.^*~~
once more, thanks for your concern.
haver a nice day~~
2006/3/9, jeho-park <lin...@gm...>:
>
> hi il-eok
>
> can you please cc net...@li... address whenever you send
> email ^-^
>
> il-eok hwang wrote:
>
> Hi, jeho park and everyone~~
>
> Sorry, My work's results are not mine but my company. and I did leave my
> company one month ago.
> So i will give you any doc currently.
>
>
> yes i understand, and i hope you to share some doc without breaking the
> license with your past company.
>
> As you know, Snort Inline use netfilter target called IP_QUEUE.
> and IP_QUEUE used netlink. i think these are not good solution.
> How about you??
>
>
> last year, i heard that snort supports netfilter target. but i didn't
> check it or know more than that.
> from reading your letter, i realized the target is IP_QUEUE.
>
> i can't sure what is the best solution, but i think it may be dependent o=
n
> network environment(gateway.. or sensor mode) and system performances. =
i
> suggest that before starting design, we should talk about this.
> because it is not easy to remake the frame,
>
> you said to me as below.
> i can imagine that there might be so many changes was needed to port
> snort to kernel layer.
> but i wonder all of snort code was really needed to port to the kerne=
l
> layer?
> if so, what is the main motive of this porting ?
> is it for more better performance of checking network packet ? ( i
> assume you might throw away
> current libpcap(premiscuous) concerned code of snort then you must
> have replaced that with
> netfilter hook )
>
> it's a good solution. but as i think, mbuf is better than libpcap. some
> IDS were developed with
> zero copy tech in Linux.
>
> TODO.
> - intrusion detection point in kernel : preprocessor & pattern matching
> engine
> - packet drop by rule
> - use conf file and rule file in user land.
> - ....
>
> recently, i works for developing L2TP - LAC, LNS. there are some bugs in
> rp-l2tp & zebra,
> so i will catch the bugs. after fixing-maybe 4days, i will check the
> current our project's source
> codes.
>
>
>
> i recommand this document.
> http://netadm.sourceforge.net/devel_netadm_ko.txt especially chapter 3,4=
,
> 5
>
> i think you dont have to understand all of our code but the interface
> which let you make your cli command
>
> i know zebra interface is not bad.. and used globaly.. but our cli
> interface more simple, and easy to build
>
> and make your cli command exported GUI interface. check
> "include/confproc.h" and gwclib/conftab.c
>
> gwclib/confproc.c
>
> bye ~
>
> see you later~~
>
> 2006/3/8, jeho-park <lin...@gm...>:
> >
> > hi il-eok
> >
> >
> > il-eok hwang wrote:
> >
> > Hi, jeho park and everyone~~
> >
> > first, sorry for my poor english.
> >
> > as i think, i quite agree with you and i hope to help our project about
> > the field of IPS( DPI ).
> > if my opinion will be established, i wll make a document about DPI.
> >
> > there are some problems in porting SNORT to kernel. see below.
> > - memory
> > - rule
> > - log
> > - etc
> >
> >
> > that's great ! if you make it with korean, i will help to translate
> > this document into english.
> >
> > through reading your letter, i become excited ^--^ and have so many
> > question.
> >
> > i can imagine that there might be so many changes was needed to port
> > snort to kernel layer.
> > but i wonder all of snort code was really needed to port to the kernel
> > layer?
> > if so, what is the main motive of this porting ?
> > is it for more better performance of checking network packet ? ( i
> > assume you might throw away
> > current libpcap(premiscuous) concerned code of snort then you must have
> > replaced that with netfilter hook )
> >
> > i think as you replaced libpcap with netfilter hook, you could check
> > all network packet without packet loss.
> > but i wonder as a result of that, how did you lost system performance o=
r
> > network throughput
> > i want to know about this point because you already have done this test=
.
> >
> >
> > 6 months ago, i did port to kernel with netfilter.
> > recently, i make a new kernel hook, so i will port SNORT with a my
> > hook instead of netfilter.
> >
> > have a nice day ^.^*~~
> >
> >
> >
> > from my knowledge, current netfilter hook is ranged from ethernet layer
> > to IP layer..
> > did you mean your hook covers TCP. UDP layer ?
> > i will wait your reply.
> >
> > if it is possible, please let us show the framework as a form of figure
> > which you had done 6 month ago,
> > and current design. they must be very interesting. and i am sure
> > everyone want to know about that ^---^
> >
> >
> > p.s:
> > since i start this project,
> > i have thought that current pf.c will receive the last alarm from snort
> > or other IDS sensor,
> > so pf , as a result of receving alarm, will drop a specifed source host
> > or control traffic of suspicious host.
> > but during reading your letter, i think you already have done it. isn't
> > it ?
> > if so, i don't mind throwing away my design. then i can more concentrat=
e
> > my energy only to "flow control" ^--^
> >
> > regards
> > jeh park
> >
> >
> >
> > 2006/3/8, jeho-park <lin...@gm...>:
> > >
> > >
> > > hi il-eok
> > > glad to meet you through this mailling list.
> > >
> > > i read your mail, so i thought you have good career about security
> > > i expect you to help our project about the field of QoS or IPS.
> > >
> > > most of all, i wonder how did you ported snort to the network stack o=
f
> > > linux.
> > >
> > > todays, george and kwan-kyung is also researching about that. so i
> > > hope
> > > you to share your knowledge with them.
> > >
> > > regards
> > > jeho park
> > >
> > >
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This SF.Net email is sponsored by xPML, a groundbreaking scripting
> > > language
> > > that extends applications into web and mobile media. Attend the live
> > > webcast
> > > and join the prime developer group breaking into this new coding
> > > territory!
> > >
> > > http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D110944&bid=3D241720&d=
at=3D121642
> > > _______________________________________________
> > > Netadm-devel mailing list
> > > Net...@li...
> > > https://lists.sourceforge.net/lists/listinfo/netadm-devel
> > >
> >
> >
> >
>
>
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X