Cesnet Liberouter
  • Projects
  • Liberouter
  • Scampi
  • FlowMon
  • NIC
  • NIFIC
  • IDS
  • NetCOPE
  • VHDL design
  • System software
  • Testing
  • Formal verification
  • Netopeer
  • Documents
  • Our hardware
  • Card Availability
  • Our partners
Main page -> VHDL
IDS project
InfoHW sectionSW sectionAddr spaceVersions

IDS probe placement

IDS probe can be connected directy to network cable using two IDS probe ports. Delay on line will be only few microseconds and IDS probe will be invisible to anyone. In this way of conenction only 2 network lines can be monitored. Another way how to use probe is using a switch or router mirror ports whitch can be conected to one of four probe ports.



IDS probe network placement

IDS probe was mainly devoleped for Snort acceleration support. With the driver the probe behave like a normal network card whitch only recieves suspicious packets. So Snort can work on his level with all features like logging to database, alarm generation. Also tools like BASE can be used for packet analysis.



BASE - IDS anlysis tool

Architecture Description

The IDS project is based on NetCOPE platform. The IDS desing is divided into two parts: interface card and mother card. On the interface card, packets are recived from one four 1 Gbps ports into Input GMII Buffer (IBUF). Only packets with correct CRC are saved into IBUF. Packets are readed from IBUFs by four Header Field Extractors (HFEs). HFE extract L3, L4 headers needed for packet classification. HFE also marks start of aplication protocol. In this packet region is pattern matching performed. Round Robin (RR) binder buffers extracted headers and whole packets in four buffers. RR cyclicaly reads ready packets from buffers and send them throw IOS bus to COMBO6x mother card for futher processing.



IDS Design Block scheme

Extracted header fields (Unified headers) and packets are stored into FIFOs for Classifier, Pattern Mach and Software output buffer (SWOBUF). Unified headers are processed by Classifier. Classifier marks in rules vector which rules match the Unified Header. Packets are processed by Pattern Match. This unit search for strings (in future for Regular Expresions) in packet payload. Depending which patterns are matched and what is the result of classifier in rules result vector is marked matched rules. This vector is then ORed, so when only one rule is matched Pattern Match unit anounce SWOBUF to export packet to software.

Main components

  • Header Field Extractor (HFE)
  • Packet Binder
  • Transformer
  • Binder Round Robin
  • Relay
  • Packet Splitter
  • Fork
  • Classifier
  • Pattern_Match
  • Drop Buffer
  • Packet Linker
  • Watch

Main Page About Liberouter Team Mailing list SVN Contacts