Re: IDS, where the bits meet the bytes

From: Matt Bing (mbing@nfr.net)
Date: 05/01/02


Date: Wed, 1 May 2002 14:23:34 -0400
From: Matt Bing <mbing@nfr.net>
To: "Taylor, Stephen" <STEPHEN.TAYLOR@saic.com>

Taylor, Stephen said:
> All the replies are great. My understanding: the NIC has firmware to copy
> the bits from the wire into card memory. There is a DMA or similar process
> to stream the data into CPU memory. At some point, we have a packet. The
> IDS (driver?) issues a libpcap or uses a proprietary call to obtain the
> packets from processor memory. I have got this wrong, I just don't know
> why.

Sometimes. bpf works by copying the packet from kernel-space
into user-space. A speed-up many propietary IDSs use is to re-map
the packet directly into user-space, saving the expensive copy
operation. This technique is often refered to as a "zero-copy bpf".

-- 
Matt Bing
NFR Security
Rapid Response Team



Relevant Pages

  • [NT]Microsoft Windows WRITE_ANDX SMB Command Handling Kernel DoS
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Windows Vista SP1 with latest security updates ... Invalid system memory was referenced. ... Srv.sys is the driver that will process the received SMB packet, ...
    (Securiteam)
  • Re: PCI newbie problems
    ... there is a manual on the Xilinx web site that I would look at first. ... How to decode a PCIexpress packet. ... As regards writing to memory using PCItree. ... These are typically control registers, ...
    (comp.arch.fpga)
  • Re: Library design for downloading an unknown amount of data?
    ... Multiple manufacturers just adds to the fun! ... Some devices send everything in a single packet, ... you could malloc the correct sized buffer. ... devices that only have 32KB of memory. ...
    (comp.lang.c)
  • Erratic memory allocation, page allocation failures, and crashing on 2.6.32 with e1000e
    ... started seeing page allocation failures when running a UDP multicast packet ... This was fixed on one machine by adding memory (total memory increased from 1GB ... packet writer on FC6. ... Here's the logs for a Xeon E5150 with 1GB, running the same app on F12 ...
    (Fedora)
  • Re: [PATCH 1/1] network memory allocator.
    ... Swap storage then sends an ack for that data, since network allocations ... data and main system can work with that free memory. ... No need to detect OOM or something other - it just works. ... each new packet goes slow path since VJ header ...
    (Linux-Kernel)