Does anybody know how stateful inspection works?
I ve programmed an TDI Filter and an NDIS packet filter driver. Now I want to put it together to a statefule inspection engine.
Is this way right? :
Tdi Layer:
TDI_CONNECT Create connection entry in a list
TDI_DISCONNECT Delete connection entry from the list
NDIS Layer:
When we receive an packet, search the source port and ip, and the dest port and ip in
the connection list, then deny or allow it.
-> is this stateful inspection?
when its wrong please correct me.
Regards,
Bruce Raynold
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Google on the term “stateful packet inspection” should be helpful to you.
Good luck,
Thomas F. Divine, Windows DDK MVP
http://www.pcausa.com
“Bruce Raynold” wrote in message news:xxxxx@ntdev…
Does anybody know how stateful inspection works?
I ve programmed an TDI Filter and an NDIS packet filter driver. Now I want to put it together to a statefule inspection engine.
Is this way right? :
Tdi Layer:
TDI_CONNECT Create connection entry in a list
TDI_DISCONNECT Delete connection entry from the list
NDIS Layer:
When we receive an packet, search the source port and ip, and the dest port and ip in
the connection list, then deny or allow it.
-> is this stateful inspection?
when its wrong please correct me.
Regards,
Bruce Raynold
No, stateful inspection is maintaining some state in the firewall from packet to packet. This, for instance, allows to scan the TCP stream for some strings, which can span across packets.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: Bruce Raynold
To: Windows System Software Devs Interest List
Sent: Thursday, September 30, 2004 6:41 PM
Subject: [ntdev] Stateful Inspection with TDI and NDIS
Does anybody know how stateful inspection works?
I ve programmed an TDI Filter and an NDIS packet filter driver. Now I want to put it together to a statefule inspection engine.
Is this way right? :
Tdi Layer:
TDI_CONNECT Create connection entry in a list
TDI_DISCONNECT Delete connection entry from the list
NDIS Layer:
When we receive an packet, search the source port and ip, and the dest port and ip in
the connection list, then deny or allow it.
-> is this stateful inspection?
when its wrong please correct me.
Regards,
Bruce Raynold
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com — Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256 You are currently subscribed to ntdev as: xxxxx@storagecraft.com To unsubscribe send a blank email to xxxxx@lists.osr.com