Snort mailing list archives

Re: multi-threaded snort

From: "Russ Combs (rucombs)" <rucombs () cisco com>
Date: Wed, 2 Jul 2014 13:12:45 +0000
Maxim,

Snort is not thread safe but we are investigating how to make it so.  Some things to look for:

-- Global variables, as you noted, must be made thread local depending on usage.  For example, lookup tables 
initialized at start up are OK, but packet data buffers must be changed.

-- Calls to unsafe functions from the packet threads must be changed.  For example, ctime() and strtok() could be 
changed to ctime_r() and strtok_r().

-- Files written by packet threads must be given unique names.  For example, you can add a packet thread instance 
number to the path.

These issues and others were addressed in SnortSP, so you may want to get that from snort.org to see what was done 
there.

Porting to ODP sounds like a great project.  Have fun.
Russ

________________________________________
From: Maxim Uvarov [maxim.uvarov () linaro org]
Sent: Tuesday, July 01, 2014 6:33 AM
To: snort-devel () lists sourceforge net
Subject: [Snort-devel] multi-threaded snort

Hello,

Is Snort thread safe? And what is needed to be done to make it thread safe?

I'm working on port Snort to ODP (http://www.opendataplane.org/). With
single threaded version
everything is clear. I did DAQ module and do packet push the same way as
other modules do.
But ODP can scale to different threads and it will be nice to get this
benefits in snort also. For having this
I compiled snort as static library and wrote simple app which in several
threads calls snort packet callback:

         gettimeofday(&daqhdr.ts, NULL);
         daqhdr.caplen = odp_buffer_size(pkt);
         printf("%s() odp recieved packet len %d. thread %d\n",
__func__, odp_packet_get_len(p
kt), thr);
         daqhdr.pktlen = odp_packet_get_len(pkt);
         daqhdr.ingress_index = 0;
         daqhdr.egress_index =  DAQ_PKTHDR_UNKNOWN;
         daqhdr.ingress_group = DAQ_PKTHDR_UNKNOWN;
         daqhdr.egress_group = DAQ_PKTHDR_UNKNOWN;
         daqhdr.flags = 0;
         daqhdr.opaque = 0;
         daqhdr.priv_ptr = NULL;
         daqhdr.address_space_id = 0;

         /* Pass packet to Snort */
         verd = PacketCallback( "NULL", daqhdr, data);

But as I understand snort has bunch of global variables which used
everywhere in code and they are not per-thread.
So the question is  - how to packet analyzing in snort in multi
threading app?

Thanks,
Maxim.



------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Current thread:

multi-threaded snort Maxim Uvarov (Jul 01)
- Re: multi-threaded snort Russ Combs (rucombs) (Jul 02)