[Snort-devel] RE: A Proposal for Reengineering Snort's Packet Matching System - Comments

Fyodor fygrave at ...1...
Fri Apr 6 11:57:42 EDT 2001


On Fri, Apr 06, 2001 at 11:32:50AM -0400, agetchel at ...358... wrote:
> Hi Todd,
> 
> > If I were in the business of writing optimizers, and with any luck
> > so many other people will that I won't have to, then I would try to
> > generalise this strategy by somehow associating protocol prerequisites
> > to rules and then culling all rules whose protocol prereqs 
> > are not met.
> 
> 	So, basically, the logic would be built into Snort that would say
> 'this packet can't possibly be HTTP, since it doesn't contain this set of
> attributes, so I'm not going to bother to check it against the HTTP rules'.
> Is this correct?  I like this idea, _a lot_, but whoever programs this code

yep, IMHO this makes alot of sence to attempt to match only those rules which
belong to certain protocol. (I pulled this indea as 'preprocessor-specific rules'
but I see that Todd had the similar idea. I am currently reviewing his piece and
will post it shortly :))

> has to do some serious testing to make sure it can't be easily fooled and an
> attack silently slip through.

Not port 80 (or whichever port is configured to be watched as 'possible http') the
packet could be omitted, if http the session should at least match http specification
etc.. I believe kind of these checkings are sane.

> e-mail, as well as the one you mention here, then leaps and bounds would be
> made in packet matching performance.  Anybody else out there listening?
> Marty? =)

yep, we are listening (ummm.. actually reading) the stuff :))

> 
> 	Interesting.  My knowledge of threading in C is somewhat limited, so
> please excuse the basic questions.  The only multithread programming I've
> done has been in console Java using native threads.  So to me, a thread is a
> thread is a thread no matter what kind of OS you're running the app on.  I

Threads on each platform are implemented in different way, Solaris and BSD(?) have
kernel-space threads implementation while in linux it is still a userland (kind of
forked processes with shared memory), so threaded performance should differ on
different systems (althrough interface should be the same), if that was your question.

There are also different thread API standards, the one which I am used to is posix threads,
but I guess there are others (even for unix platform).

> get the impression from your response that this is not so in C. =)  Is there
> a standard threading library for C which is supported under most every OS?

posix is supposed to be. (pthreads)

> Would it be possible to write the packet matching engine code using this
> standard library? 

yes, just have to make sure that all the functions used are threads-safe.

> If so, what about threading the packet matching engine
> (the part of Snort which would most benefit from this), keeping the single
> threaded code, and allow the user (by means of the snort.conf file) to
> choose if he has an SMP system or not?
> 

IMHO it might make sense to abstract from threads and design kind of modules spawning and
message exhange protocol which could use threads, mpi, rpc, or corba(?) as the underlying
implementation for such. That's the model which I am currently trying to get done on the
other project of mine, and if it works out we may think how the similar tech could be applied
to snort.. maybe.. :)


-- 
http://www.notlsd.net
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1





More information about the Snort-devel mailing list