This message is a private message fwd on the mailling list with
the permission of the author...
I think it is interesting to debate on this question
( creation of a IDS style language ).
------- Start of forwarded message -------
Message-ID: <[EMAIL PROTECTED]>
Date: Mon, 27 Mar 2000 19:18:11 -0500
From: Praveen Yajman <[EMAIL PROTECTED]>
MIME-Version: 1.0
To: [EMAIL PROTECTED]
Subject: Re: Prelude subscribtion
References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1;
boundary="------------ms7CD7425C7DD1D278F423D139"
This is a cryptographically signed message in MIME format.
--------------ms7CD7425C7DD1D278F423D139
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
> yop, already thinked to that,
> but i think ( sorry ) that it is a bad idea,
>
> here is why :
> Real Time Intrusion Detection require a lot of CPU power,
> what you need is a low level language ( like C ),
> you will never achieve thing as quickly with a higher level language...
>
> So what we do is to use dedicated plugins, for intrusion detection...
>
> what do you think ?
Low level language is required, agreed. But then it all depends on how
you implement the high level language. My idea of a HLL is like this
if(ip_src == ip_dst)
attack = land;
And the most important aspect of the language would be the compiler.
What we need here is one that will optimize the attack signature to the
most efficient BPF code (or to a better packet filter). That way it
would be even better than C. So when I meant a different language for
ID, I mean a domain specific lang, not necessarily a HLL like Basic.
Ideally I would want to do away with BPF completely and have a better
low level packet filter that would be implemented in hardware
(preferably the network interface). The concept of reconfigurable
computing appealed to me. But the present hardware seems to be still
years away from competing with traditional computers. It would be so
nice to have a reconfigurable computer that would configure itself on
the fly into the most optimized form to detect/prevent a particular
category of attack/traffic. For example if the IDS detects DoS then it
could immediately switch its configuration (in hardware) to the best
optimized mode for tackling DoS. Well, I guess these ideas are good for
research. They probably will never get implemented in commercial
products.
>
> --
> -- Yoann http://prelude.sourceforge.net
> It is well known that M$ product don't make a free() after a malloc(),
> the unix community wish them good luck for their future developement.
