We were searching for an efficient intrusion detection system. .We wanted to develop some differnt kind of system which can perform as a detection and prevention system.After a long time discussion and searching in the net, we finalized ythis approch..
In our system , We have two module. One from userspace called detection system.Another from kernel space called prevention system.System acts like
When packets come from the network to NIC, we capture the packets and send to the userspace program.
Still we are thinking to avoid IP stack for passing each packets to user space.Any way , a user space detection program checks the each and every packets and try to match with predefined rule. If this match happens then detection system calculates the rate of packets whichs falls under this rules. If it overtakes the thresold value then this packet address would be written into a configuration file and immediately send to the kernel module which is ruuning in kernel space. So next time if this type of packets is comming into the NIC, before passing to the network stack, our kernel module will drop theses packets. This procedure will occour recuresively and best way to name this project .....
" Knowledge based intrusion detection and prevention system"
While searching , i got very good metirial from net which i should mention here for further look up:
linux 2.4 Packet Filtering
Writing Network device Driver
Inside the Linux Packet Filter Part 1
Inside the Linux Packet Filter Part II
i will add more......