Snort mailing list archives

Re: stream based av and snort/Stream5

From: lynch meng <lynch.meng () gmail com>
Date: Wed, 10 Mar 2010 10:29:03 +0800

on tue, 9 Mar 2010 15:59:54 -0500, randy () procyonlabs com wrote:

hello all! I am working for develop a snort preprosessor to do stream
based anti virus. I need do mime decodeing and decompress, so reassembled
packets should come to my preprosessor sequentially. client side packet
have no problem, but i can not get packet with PKT_REBUILT_STREAM flags
from server side?


As Snort is not currently multi-threaded, wouldn't this have terrible
consequences when larger files are encountered?

Then again, does the threading factor even matter? I'm not too familiar
with the internals of preprocessors (do/can they lock?).

Randy


about larger files problem, streamav_size option will be added.  av
engine will be skipped
when over size file encountered.

lynch.meng

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Current thread:

stream based av and snort/Stream5 lynch.meng (Mar 09)
- Re: stream based av and snort/Stream5 Randal T. Rioux (Mar 09)
- <Possible follow-ups>
- Re: stream based av and snort/Stream5 lynch meng (Mar 09)