Snort mailing list archives

multi-threaded snort

From: Maxim Uvarov <maxim.uvarov () linaro org>
Date: Tue, 01 Jul 2014 14:33:58 +0400

Hello,

Is Snort thread safe? And what is needed to be done to make it thread safe?

I'm working on port Snort to ODP (http://www.opendataplane.org/). With 
single threaded version
everything is clear. I did DAQ module and do packet push the same way as 
other modules do.
But ODP can scale to different threads and it will be nice to get this 
benefits in snort also. For having this
I compiled snort as static library and wrote simple app which in several 
threads calls snort packet callback:

         gettimeofday(&daqhdr.ts, NULL);
         daqhdr.caplen = odp_buffer_size(pkt);
         printf("%s() odp recieved packet len %d. thread %d\n", 
__func__, odp_packet_get_len(p
kt), thr);
         daqhdr.pktlen = odp_packet_get_len(pkt);
         daqhdr.ingress_index = 0;
         daqhdr.egress_index =  DAQ_PKTHDR_UNKNOWN;
         daqhdr.ingress_group = DAQ_PKTHDR_UNKNOWN;
         daqhdr.egress_group = DAQ_PKTHDR_UNKNOWN;
         daqhdr.flags = 0;
         daqhdr.opaque = 0;
         daqhdr.priv_ptr = NULL;
         daqhdr.address_space_id = 0;

         /* Pass packet to Snort */
         verd = PacketCallback( "NULL", daqhdr, data);

But as I understand snort has bunch of global variables which used 
everywhere in code and they are not per-thread.
So the question is  - how to packet analyzing in snort in multi 
threading app?

Thanks,
Maxim.



------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

multi-threaded snort Maxim Uvarov (Jul 01)
- Re: multi-threaded snort Russ Combs (rucombs) (Jul 02)