[Snort-devel] Threaded snort

agetchel at ...358... agetchel at ...358...
Thu Jun 14 11:35:50 EDT 2001


Hey guys,
	Correct me if I'm wrong, but Marty's comments at the SANS conference
in Baltimore stated that Snort is not threaded (of course) and will not be
threaded to keep portability across all platforms that Snort is being run
on.  It was also discussed on this list, and the conclusions were the same.

Thanks,
Abe

Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
Voice   502-564-2020x225
E-mail  agetchel at ...358...
Web     http://www.kde.state.ky.us/



> -----Original Message-----
> From: tlewis at ...255... [mailto:tlewis at ...255...]
> Sent: Thursday, June 14, 2001 11:19 AM
> To: Sjsnort
> Cc: Snort-Devel
> Subject: Re: [Snort-devel] Threaded snort
> 
> 
> I strongly suspect that snort v2 will support threading.  The 
> main problem
> with that whole issue, though, is that the majority of the 
> cost comes in
> acquiring the packets, and all of the packet acquisition 
> mechanisms, from
> pcap to netfilter to divert, and strongly single-threaded.  
> Until those
> interfaces, which are external to snort, are updated to be 
> multi-threaded,
> or until other, threaded packet acquisition mechanisms are built to
> replace them, then threading won't give you the huge speedup that you
> would think that it would, unless you're just looking for a speedup
> on output processing.  Of course, all output methods I know of are
> single-threaded, too, but hey, on a 2-way, that's one cpu for packet
> acquisition and one cpu for reporting, with the actual matching just
> sort of happening wherever it's convenient.  8^)
> 
> While we're on the subject, I don't see good prospects of the 
> netfilter
> guys making netfilter particularly fast anytime soon.  Anyone 
> out there
> ever done any kernel hacking?  Let's pick a linux device driver (I'm
> partial to the intel eepro100, since that's what's on my box) and hack
> it up to allow snort to mmap the ethernet card's dma target, 
> the receive
> buffer, directly.  Now that would let you be SMP and really fly.
> 
> --
> Todd Lewis
> tlewis at ...255...
> 
> On Thu, 14 Jun 2001, Sjsnort wrote:
> 
> > Hi,
> > 
> > In a recent discussion on the users list someone claimed 
> that the developers
> > aren't planning thread snort in future versions also. Is it 
> true? I thought
> > Snort 2.0 would be threaded.
> > 
> > Siddhartha
> > 
> > 
> > 
> > _________________________________________________________
> > Do You Yahoo!?
> > Get your free @yahoo.com address at http://mail.yahoo.com
> > 
> > 
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > http://lists.sourceforge.net/lists/listinfo/snort-devel
> > 
> 
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel
> 




More information about the Snort-devel mailing list