Re: Snort as Gigabit Sensor

[Chris Green <cmg () sourcefire com>]

Frank Knobbe <frank () knobbe us> writes:

> heh... now you sparked my interest. What exactly "didn't work" in
> threading Snort? 

At some point around 1.8, it didn't work. Namely, --enable-pthreads
resulted in a non working build. Full instances of snort were
basically spawned off for each thread.  Now, reconciling that with
making the rest of snort thread safe once snort started keeping state
takes a lot of work.  There's a lot of global's and static that would
need lots of spinlocks.  

> Looking at the current source, I still see the function
> "InterfaceThread", but no use of pthread as it was in Snort 1.9
> (just grepping at the moment)

That one thread is the snort process.

> . Running the packet capture per interface in separate threads was a
> good idea (I haven't tried it myself though). And the code didn't
> seem that much more complex either.

That gave the detection engine the threading capabilty of

 snort1 -c snort1.conf -i eth0 &
 snort2 -c snort1.conf -i eth1 &
 snort3 -c snort1.conf -i eth2 &

The latter process is more flexible and just as good as snort doing
that spin for you.
-- 
Chris Green <cmg () sourcefire com>
Don't use a big word where a diminutive one will suffice.


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users