Re: Snort + (OpenBSD or Linux)

From: Yoann Vandoorselaere (yoann@mandrakesoft.com)
Date: 07/30/01 

To: "Turner, Elliot" <eturner@intrusion.com>
Subject: Re: Snort + (OpenBSD or Linux)
From: Yoann Vandoorselaere <yoann@mandrakesoft.com>
Date: 30 Jul 2001 22:38:58 +0200
Message-ID: <87ofq2p2xp.fsf@mandrakesoft.com>

"Turner, Elliot" <eturner@intrusion.com> writes:

> Comments below:
>
> -----Original Message-----
> >From: Yoann Vandoorselaere [mailto:yoann@mandrakesoft.com]
> >Sent: Monday, July 30, 2001 8:42 AM
> >To: Subba Rao
> >Cc: Dan Bunge; Focus IDS
> >Subject: Re: Snort + (OpenBSD or Linux)
> >
> >Subba Rao <subba9@home.com> writes:
> >>
> >> Where are the studies that are saying that OpenBSD does not drop all the
> packets
> >> on a heavy duty pipe? Or OpenBSD is x% faster than Linux for an IDS box
> in the
> >> production environment?
> >
> >The way Snort treat packet (the way it match them against signature)
> >is really not efficient, tests are redundant, and done many many time
> >on the same packet. The speed problem is in the application, not in
> >the kernel.
>
>
> I know that many NIDS developers (including myself and Robrt Graham) have
> started pursuing alternate routes of obtaining packets, through the use of
> custom Ethernet drivers and other methodologies. I'm sure this will become
> more common in the future. It (like most other capture techniques) has
> specific advantages (speed) and drawbacks (ties to specific hardware).

My point of view is :

The operating system is responssible for giving you access to theses
hardware. If there is a problem, it have to be fixed. You shouldn't
have to code specific drivers for the hardware...

> I
> personally believe that what defines a "good packet capture subsystem" is
> rather arbitrary, as some things that may be important to some users (speed)
> may be less important to others (such as those concerned about having a high
> degree of portability between OS and hardware platforms).
>
> Therefore I don't
> think anyone can make a clear distinction "OS xyz is better than zyx at
> capturing packets" unless user requirements are strictly defined ("can run
> on any hardware", "must utilize the xyz Ethernet adapter").

I agree 

-- 
Yoann Vandoorselaere | One luser tried to change his password on Mandrake. Not
MandrakeSoft         | having any imagination at all, he entered "penis" for a
                     | password... He got the following answer:   BAD PASSWORD:
                     | it is too short

Relevant Pages

  • Re: Linux 2.6.9 pktgen module causes INIT process respawning and sickness
    ... problem with small packet sizes on x86 hardware is related to ... receive data off the card at high enough rates. ... Linux with a Spirent Smartbits, ... into the ring buffer since you are only dealing with 150,000 packets per ...
    (Linux-Kernel)
  • Re: Linux 2.6.9 pktgen module causes INIT process respawning and sickness
    ... problem with small packet sizes on x86 hardware is related to ... receive data off the card at high enough rates. ... Linux with a Spirent Smartbits, ... into the ring buffer since you are only dealing with 150,000 packets per ...
    (Linux-Kernel)
  • Re: Device polling heavy traffic
    ... Mihai> 1-2-3 ms but I also get a lot of interrupts and a kernel panic ... with any hardware we can find. ... if your packets are non-trivial ... ... Linux hashes packet streams (key of sce ip, ...
    (freebsd-performance)
  • Re: Solaris 9 w/ opensource firewall
    ... OpenBSD and Linux are free. ... > (openSSH came from the openbsd project, they implemented hardware crypto ... > firewall if you need programmatic control over your firewalling... ...
    (comp.unix.solaris)
  • Re: Solaris 9 w/ opensource firewall
    ... OpenBSD and Linux are free. ... OpenBSD has a systematic approach to auditing its code from a security ... and only if your hardware is not supported then use ... firewall if you need programmatic control over your firewalling... ...
    (comp.unix.solaris)