So far with my forrays in to netfilter I have produced two things related to network intrusion detection.
PROMISC Chain. netfilter and iptables patches that add a new chain to the filter table called PROMISC. Packets that get picked up in promiscuous mode and arent destined for our host traverse this chain. This is useful so we can monitor all taffic on our LAN segment. You can use the REJECT target to send out RSTs to stop TCP streams between other machines.
NETLINK target. A patch that adds a NETLINK target to netfilter/iptables. This sends packets to userspace via a netlink socket so tyhat you can use my FWMON tool to monitor the data. Althugh you can do anythjing with this data, for example send the encrypted data out over the network push style.
Now this is the thing I wonder about. Is it best to send the data to userspace, then back to the kernel (through the TCP/IP stack) then on to the network. Or should the kernel send the data out directly? I mean, the data should be sent at regular intervals (eg: every 30 seconds), whether there actually is data or not, or attackers could find out what triggers an intrusion by monitoring when it sends data. Is the userspace overhead acceptable, or would it be too easy to snowblind the system, by flooding it, to the point where the data doesnt get sent to userspace? I will have to code both approaches and test them, maybe I am being too paranoid, if such a thing exists.
Kernel Space vs User space, kernel is:
- More secure, we can make sure the system can NEVER be snowblinded.
- Less flexible
- Bulks the kernel out
- Low latency