RE: Snort + (OpenBSD or Linux)

From: Turner, Elliot (eturner@intrusion.com)
Date: 07/30/01 

Message-ID: <636A9B29EA94BC4194D844C27A3B1AAB016DE58C@Mercury.intrusion.com>
From: "Turner, Elliot" <eturner@intrusion.com>
To: "'Yoann Vandoorselaere'" <yoann@mandrakesoft.com>, Subba Rao <subba9@home.com>
Subject: RE: Snort + (OpenBSD or Linux)
Date: Mon, 30 Jul 2001 14:10:01 -0500

Comments below:

-----Original Message-----
>From: Yoann Vandoorselaere [mailto:yoann@mandrakesoft.com]
>Sent: Monday, July 30, 2001 8:42 AM
>To: Subba Rao
>Cc: Dan Bunge; Focus IDS
>Subject: Re: Snort + (OpenBSD or Linux)
>
>Subba Rao <subba9@home.com> writes:
>>
>> Where are the studies that are saying that OpenBSD does not drop all the
packets
>> on a heavy duty pipe? Or OpenBSD is x% faster than Linux for an IDS box
in the
>> production environment?
>
>The way Snort treat packet (the way it match them against signature)
>is really not efficient, tests are redundant, and done many many time
>on the same packet. The speed problem is in the application, not in
>the kernel.

I was able to attend the Snort talk at BlackHat this year. While some tests
in the present 1.8 architecture are redundant, it sounds like they're doing
some pretty interesting work in eliminating those problems (the research
into alternative pattern matching algorithms, for instance). Anyway, if one
desires to knock on the speed of a NIDS, there are far more attractive
targets than Snort. Snort runs fairly fast compared to some other products
currently on the market (I'm not going to name specific products, as I work
for a NIDS vendor, and thus don't qualify as a "non-biased third party").

In response to your comments on "speed problems", I can say from personal
experience (as a NIDS developer) that one can run into bottlenecks in a
number of areas within both the application and kernel. Packet capture,
memory management, alerting, string matching, protocol decoding, etc can all
contain potential bottlenecks. NIDS is a complex animal.

Regarding OpenBSD vs. Linux packet capture performance (this is a really old
argument), there is no _recent_ published data that compares the two
operating systems. The data mentioned earlier in this thread (gathered by
Anzen, during research into platform usage for the NFR product) is rather
outdated, examining the Linux SOCK_PACKET/PF_PACKET 2.2 capture facilities.

Linux has a completely new capture subsystem in 2.4 (based on the
TurboPacket patch for 2.2) that can run circles around many other operating
systems capture facilities. However, truly accurate comparisons between
operating systems cannot really be made until research is published
comparing the most _recent_ capture facilities in all operating systems
against one another.

I know that many NIDS developers (including myself and Robrt Graham) have
started pursuing alternate routes of obtaining packets, through the use of
custom Ethernet drivers and other methodologies. I'm sure this will become
more common in the future. It (like most other capture techniques) has
specific advantages (speed) and drawbacks (ties to specific hardware). I
personally believe that what defines a "good packet capture subsystem" is
rather arbitrary, as some things that may be important to some users (speed)
may be less important to others (such as those concerned about having a high
degree of portability between OS and hardware platforms). Therefore I don't
think anyone can make a clear distinction "OS xyz is better than zyx at
capturing packets" unless user requirements are strictly defined ("can run
on any hardware", "must utilize the xyz Ethernet adapter").

Regards,

Elliot

Relevant Pages

  • Re: Snort + (OpenBSD or Linux)
    ... Snort + (OpenBSD or Linux) ... on packet analysis. ...
    (Focus-IDS)
  • Re: TCP/IP Filtering
    ... > I use snort all the time but it doesn't srop packets as far as I know it.. ... > packet filtering.. ... "Oh how I yearn for a freeware packet filter on win2k that enables you to ... "WinPcap is an architecture for packet capture and network analysis for the ...
    (microsoft.public.win2000.security)
  • IP protocol checksum errors
    ... Frame 3484 ... Time delta from previous packet: ... Capture Length: 254 bytes ... Fragment offset: 0 ...
    (comp.os.linux.embedded)
  • [TOOL] WinPcap, the Free Packet Capture Architecture for Windows
    ... the Free Packet Capture Architecture for Windows ...
    (Securiteam)
  • Re: Cracking WEP and WPA keys
    ... > GB of video files from a Linux server in my house so that IV ... > 802.11G PCMCIA card, and the Linux server was running Samba to talk to ... That way if I'd had to capture more IV ... Cross site scripting and other web attacks before hackers do! ...
    (Pen-Test)