[Snort-devel] Thoughts on threads

Martin Roesch roesch at ...48...
Sat Apr 7 00:07:18 EDT 2001


Fyodor wrote:
> 
> On Fri, Apr 06, 2001 at 02:00:10PM -0400, Jon Bentley wrote:
> > I haven't received a good beating recently, so I'll through my two cents
> > into the ring.
> >
> > Threads (nee parallelization) would cause me some concern, as it would
> > potentially remove the serial order of received packets.  Perhaps that is
> > a concern of only myself, though.  (Packet sequence numbers, with a post-
> > process reordering?)
> 
> not if we papeline the packet process. There's always packet sequentioning solution (but
> then you'd have to block packet logging at the last stage until all the previously received
> packets are logged).

Sequencing packets into the stream reassembler and IP defragger could
potentially be somewhat sensitive, especially if we decide to try to
detect evasion techniques in those sub-processes.  If we log
non-sequentially, we're going to have to write something to "de-kink"
the packet log files (which won't work for the non-binary/database
packet dumps_.

> > Pthreads are great, but do we care about our W*ndows friends?
> >
> 
> Some people do :). But I looked into Windows threads, and the routines there
> seem to have the similar functional meaning, althrough kinda different
> syntaxical (is there such word? :)) representation.

I hear Pandora thought that she could close the box if she didn't like
what she saw inside.... ;)

    -Marty




More information about the Snort-devel mailing list