[Snort-devel] Threaded snort

Sjsnort sjsnort at ...398...
Thu Jun 14 13:28:44 EDT 2001


Well, i didn't go to SANS but from my CPU utilizations i do see a need for
multi-threaded snort. More so because i run snort on a dual-processor Sun
box and even with a low bandwidth 5-6 Mbps snort easily runs upto 60% usage
(Snort-1.8beta6 Build 25). Although, i know that in the stable release bugs
would be fixed and CPU utilization may come down but the point is that i
feel it is better to have single box (multi-processor) do as much snorting
as it can before going to do things like split the traffic between multiple
boxes (which by itself is a controversial topic)

Anyway, here is how i think multi-threading can help. The way i understand
it is that once the packet is captured by libpcap and stored in a data
structure, all other engines & preprocessors essentially only read this data
structure  and generate there conclusions from what they see in the data
structure. Given my assumption is right, couldn't all these engines and
preprocessors which only read the captured packet be turned into threads?
Also, output functions like those which write to files or databases also be
run as threads (i remember marty saying somewhere that Snort writing to
Mysql eats more CPU).

Although, i am not much of a programmer but to maintain cross-platform
operatibility, couldn't snort have an option like OpenLDAP or perl where you
can build them with or without threads support?

I know mutli-threading involves a lot of careful redesigning and re-writing
code but with OSs like Solaris, i think it would be worth it.

Siddhartha

----- Original Message -----
From: <agetchel at ...358...>
To: <tlewis at ...255...>; <sjsnort at ...398...>
Cc: <snort-devel at lists.sourceforge.net>
Sent: Thursday, June 14, 2001 9:05 PM
Subject: RE: [Snort-devel] Threaded snort


> Hey guys,
> Correct me if I'm wrong, but Marty's comments at the SANS conference
> in Baltimore stated that Snort is not threaded (of course) and will not be
> threaded to keep portability across all platforms that Snort is being run
> on.  It was also discussed on this list, and the conclusions were the
same.
>
> Thanks,
> Abe
>
> Abe L. Getchell - Security Engineer
> Division of System Support Services
> Kentucky Department of Education
> Voice   502-564-2020x225
> E-mail  agetchel at ...358...
> Web     http://www.kde.state.ky.us/
>
>
>
> > -----Original Message-----
> > From: tlewis at ...255... [mailto:tlewis at ...255...]
> > Sent: Thursday, June 14, 2001 11:19 AM
> > To: Sjsnort
> > Cc: Snort-Devel
> > Subject: Re: [Snort-devel] Threaded snort
> >
> >
> > I strongly suspect that snort v2 will support threading.  The
> > main problem
> > with that whole issue, though, is that the majority of the
> > cost comes in
> > acquiring the packets, and all of the packet acquisition
> > mechanisms, from
> > pcap to netfilter to divert, and strongly single-threaded.
> > Until those
> > interfaces, which are external to snort, are updated to be
> > multi-threaded,
> > or until other, threaded packet acquisition mechanisms are built to
> > replace them, then threading won't give you the huge speedup that you
> > would think that it would, unless you're just looking for a speedup
> > on output processing.  Of course, all output methods I know of are
> > single-threaded, too, but hey, on a 2-way, that's one cpu for packet
> > acquisition and one cpu for reporting, with the actual matching just
> > sort of happening wherever it's convenient.  8^)
> >
> > While we're on the subject, I don't see good prospects of the
> > netfilter
> > guys making netfilter particularly fast anytime soon.  Anyone
> > out there
> > ever done any kernel hacking?  Let's pick a linux device driver (I'm
> > partial to the intel eepro100, since that's what's on my box) and hack
> > it up to allow snort to mmap the ethernet card's dma target,
> > the receive
> > buffer, directly.  Now that would let you be SMP and really fly.
> >
> > --
> > Todd Lewis
> > tlewis at ...255...
> >
> > On Thu, 14 Jun 2001, Sjsnort wrote:
> >
> > > Hi,
> > >
> > > In a recent discussion on the users list someone claimed
> > that the developers
> > > aren't planning thread snort in future versions also. Is it
> > true? I thought
> > > Snort 2.0 would be threaded.
> > >
> > > Siddhartha
> > >
> > >
> > >
> > > _________________________________________________________
> > > Do You Yahoo!?
> > > Get your free @yahoo.com address at http://mail.yahoo.com
> > >
> > >
> > > _______________________________________________
> > > Snort-devel mailing list
> > > Snort-devel at lists.sourceforge.net
> > > http://lists.sourceforge.net/lists/listinfo/snort-devel
> > >
> >
> >
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > http://lists.sourceforge.net/lists/listinfo/snort-devel
> >


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com





More information about the Snort-devel mailing list