On 24/Feb/11 22:23, Carlos Lopez wrote: >> The Kernel lacks support of "Deep Packet Inspection"... With DPI >> you can do all dirty tricks to leave crackers out of the box/net. > > It is true that the main kernel does not support it, but there are > many commercial vendors that are open sourcing their products in a > way to be on the Open Source arena, read this article from the > internet: > > http://www.linux.com/news/enterprise/networking/44079-deep-packet-inspection-engine-goes-open-source
Maybe I'm missing something, but it seems to me that 1. The Linux kernel, via iptables, supports inspecting _any_ value in a filtered packet. If tougher inspection is required, the packet can be passed to a userspace daemon using netfilter (which OpenDPI apparently can also do.) 2. OpenDPI software is involved in classifying protocols and applications, which is not much relevant for SMTP/IMAP/POP authentication, as we know both the protocol and the application already. 3. After TLS handshake, OpenDPI filters are not able to know the details of the communication. (In principle, knowing the server's key and having traced the handshake, it should be possible to decrypt packets content. The closed-source version "ipoque" is claimed to be "able to detect encrypted or obfuscated protocols as well", and this may be what they mean.) 4. Still, failed authentication attempts from crackers look exactly like legitimate ones, except for their amount. Tracking them correctly implies knowledge of the users database (in addition to the server's keys), hence it is much much harder to do it using an external tool. -- ------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
