From owner-freebsd-net@FreeBSD.ORG  Wed Jul 31 19:16:08 2013
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 7B2FA5B3
 for <freebsd-net@freebsd.org>; Wed, 31 Jul 2013 19:16:08 +0000 (UTC)
 (envelope-from groundup2360917182914017@gmail.com)
Received: from mail-wi0-x241.google.com (mail-wi0-x241.google.com
 [IPv6:2a00:1450:400c:c05::241])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 10BA7238B
 for <freebsd-net@freebsd.org>; Wed, 31 Jul 2013 19:16:07 +0000 (UTC)
Received: by mail-wi0-f193.google.com with SMTP id j17so518318wiw.4
 for <freebsd-net@freebsd.org>; Wed, 31 Jul 2013 12:16:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:date:message-id:subject:from:to:content-type;
 bh=+kSsXbmikAJAItBe9rSjEsxyN8dxis8fxGvith6KTac=;
 b=tpg5OWjrRrl7R4eAqIfKD83VJ+ux/RGarKzQaRVsH4H54UH3Io5aTgZurmDF0R1MY1
 HgLBCNkd2Ic9/scnXKsA39FbbhlavJiily7atbOuy9nLDg4FYPX8PPozkGOjKtBzJg2v
 9CLRrvCnkItitChZ+kHtLe01YVz0X/BGd0hfbJAqQKLd+nmu+pomfA07yj0SlgzFS+ay
 RjQMMNXD/2CUrBCCbP2+zRs2iptNsjgjv+SvMMkeUIimHJQexm+o8xUzSI1Ie6qrM37V
 zfRoIIRZmqY4q9nwaVJ+zAwEOsx9SZkLx2EqtMrkrMzt6bNOo0alRfuVNncOS36xdiIz
 lyfw==
MIME-Version: 1.0
X-Received: by 10.180.24.197 with SMTP id w5mr5273110wif.25.1375298166161;
 Wed, 31 Jul 2013 12:16:06 -0700 (PDT)
Received: by 10.216.212.138 with HTTP; Wed, 31 Jul 2013 12:16:06 -0700 (PDT)
Received: by 10.216.212.138 with HTTP; Wed, 31 Jul 2013 12:16:06 -0700 (PDT)
Date: Wed, 31 Jul 2013 15:16:06 -0400
Message-ID: <CAKwMmas4+E6-hNNVH_SbmZ_a-1QjvfcfMm8DjBdGcmghgy7+Pw@mail.gmail.com>
Subject: Is a shellcode kernel network detector worth it?
From: Anthony Brown <groundup2360917182914017@gmail.com>
To: freebsd-net@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
X-Content-Filtered-By: Mailman/MimeDel 2.1.14
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Jul 2013 19:16:08 -0000

Is a shellcode kernel network detector worth it.  I was thinking about
making a kernel module that would detect shellcode and then stop it from
getting pass the kernel.  I don't know if it is worth it though, because if
the data in the packets is encrypted I won't be able to check for
shellcode.  Is it normal for must data coming from the network to not be
encrypted?