[Snort-devel] Threaded snort

tlewis at ...255... tlewis at ...255...
Thu Jun 14 11:36:52 EDT 2001


As I understand Marty's position, it is that snort not _require_
threading.  So long as non-threaded platforms, like his beloved OpenBSD,
are fully supported, it is ok, as I understand his position, optionally
to support threading on modern^H^H^H^H^H^Hother platforms.

--
Todd Lewis
tlewis at ...255...

On Thu, 14 Jun 2001 agetchel at ...358... wrote:

> Hey guys,
> 	Correct me if I'm wrong, but Marty's comments at the SANS conference
> in Baltimore stated that Snort is not threaded (of course) and will not be
> threaded to keep portability across all platforms that Snort is being run
> on.  It was also discussed on this list, and the conclusions were the same.
> 
> Thanks,
> Abe
> 
> Abe L. Getchell - Security Engineer
> Division of System Support Services
> Kentucky Department of Education
> Voice   502-564-2020x225
> E-mail  agetchel at ...358...
> Web     http://www.kde.state.ky.us/
> 
> 
> 
> > -----Original Message-----
> > From: tlewis at ...255... [mailto:tlewis at ...255...]
> > Sent: Thursday, June 14, 2001 11:19 AM
> > To: Sjsnort
> > Cc: Snort-Devel
> > Subject: Re: [Snort-devel] Threaded snort
> > 
> > 
> > I strongly suspect that snort v2 will support threading.  The 
> > main problem
> > with that whole issue, though, is that the majority of the 
> > cost comes in
> > acquiring the packets, and all of the packet acquisition 
> > mechanisms, from
> > pcap to netfilter to divert, and strongly single-threaded.  
> > Until those
> > interfaces, which are external to snort, are updated to be 
> > multi-threaded,
> > or until other, threaded packet acquisition mechanisms are built to
> > replace them, then threading won't give you the huge speedup that you
> > would think that it would, unless you're just looking for a speedup
> > on output processing.  Of course, all output methods I know of are
> > single-threaded, too, but hey, on a 2-way, that's one cpu for packet
> > acquisition and one cpu for reporting, with the actual matching just
> > sort of happening wherever it's convenient.  8^)
> > 
> > While we're on the subject, I don't see good prospects of the 
> > netfilter
> > guys making netfilter particularly fast anytime soon.  Anyone 
> > out there
> > ever done any kernel hacking?  Let's pick a linux device driver (I'm
> > partial to the intel eepro100, since that's what's on my box) and hack
> > it up to allow snort to mmap the ethernet card's dma target, 
> > the receive
> > buffer, directly.  Now that would let you be SMP and really fly.
> > 
> > --
> > Todd Lewis
> > tlewis at ...255...
> > 
> > On Thu, 14 Jun 2001, Sjsnort wrote:
> > 
> > > Hi,
> > > 
> > > In a recent discussion on the users list someone claimed 
> > that the developers
> > > aren't planning thread snort in future versions also. Is it 
> > true? I thought
> > > Snort 2.0 would be threaded.
> > > 
> > > Siddhartha
> > > 
> > > 
> > > 
> > > _________________________________________________________
> > > Do You Yahoo!?
> > > Get your free @yahoo.com address at http://mail.yahoo.com
> > > 
> > > 
> > > _______________________________________________
> > > Snort-devel mailing list
> > > Snort-devel at lists.sourceforge.net
> > > http://lists.sourceforge.net/lists/listinfo/snort-devel
> > > 
> > 
> > 
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > http://lists.sourceforge.net/lists/listinfo/snort-devel
> > 
> 





More information about the Snort-devel mailing list