[Snort-devel] Threaded snort

agetchel at ...358... agetchel at ...358...
Thu Jun 14 14:30:33 EDT 2001


Hi Siddhartha,
	No one ever said there wasn't an advantage to having Snort threaded,
it was just stated that it probably wasn't going to happen. =)  I think
everyone agrees that threading Snort to allow it to take advantage of
multiple processors would help performance, but the real question is can
this be done without hurting the portability of the code?  The answer was a
resounding 'no'.  I think that the Snort developers are on the right track
when it comes to releasing Snort 2.0 to have the _capability_ to be
threaded, but I sure wouldn't want to be the one to manage all those
different source trees... =)

Thanks,
Abe

Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
Voice   502-564-2020x225
E-mail  agetchel at ...358...
Web     http://www.kde.state.ky.us/



> -----Original Message-----
> From: Sjsnort [mailto:sjsnort at ...398...]
> Sent: Thursday, June 14, 2001 1:29 PM
> To: snort-devel at lists.sourceforge.net
> Subject: Re: [Snort-devel] Threaded snort
> 
> 
> Well, i didn't go to SANS but from my CPU utilizations i do 
> see a need for
> multi-threaded snort. More so because i run snort on a 
> dual-processor Sun
> box and even with a low bandwidth 5-6 Mbps snort easily runs 
> upto 60% usage
> (Snort-1.8beta6 Build 25). Although, i know that in the 
> stable release bugs
> would be fixed and CPU utilization may come down but the 
> point is that i
> feel it is better to have single box (multi-processor) do as 
> much snorting
> as it can before going to do things like split the traffic 
> between multiple
> boxes (which by itself is a controversial topic)
> 
> Anyway, here is how i think multi-threading can help. The way 
> i understand
> it is that once the packet is captured by libpcap and stored in a data
> structure, all other engines & preprocessors essentially only 
> read this data
> structure  and generate there conclusions from what they see 
> in the data
> structure. Given my assumption is right, couldn't all these 
> engines and
> preprocessors which only read the captured packet be turned 
> into threads?
> Also, output functions like those which write to files or 
> databases also be
> run as threads (i remember marty saying somewhere that Snort 
> writing to
> Mysql eats more CPU).
> 
> Although, i am not much of a programmer but to maintain cross-platform
> operatibility, couldn't snort have an option like OpenLDAP or 
> perl where you
> can build them with or without threads support?
> 
> I know mutli-threading involves a lot of careful redesigning 
> and re-writing
> code but with OSs like Solaris, i think it would be worth it.
> 
> Siddhartha
> 
> ----- Original Message -----
> From: <agetchel at ...358...>
> To: <tlewis at ...255...>; <sjsnort at ...398...>
> Cc: <snort-devel at lists.sourceforge.net>
> Sent: Thursday, June 14, 2001 9:05 PM
> Subject: RE: [Snort-devel] Threaded snort
> 
> 
> > Hey guys,
> > Correct me if I'm wrong, but Marty's comments at the SANS conference
> > in Baltimore stated that Snort is not threaded (of course) 
> and will not be
> > threaded to keep portability across all platforms that 
> Snort is being run
> > on.  It was also discussed on this list, and the 
> conclusions were the
> same.
> >
> > Thanks,
> > Abe
> >
> > Abe L. Getchell - Security Engineer
> > Division of System Support Services
> > Kentucky Department of Education
> > Voice   502-564-2020x225
> > E-mail  agetchel at ...358...
> > Web     http://www.kde.state.ky.us/
> >
> >
> >
> > > -----Original Message-----
> > > From: tlewis at ...255... [mailto:tlewis at ...255...]
> > > Sent: Thursday, June 14, 2001 11:19 AM
> > > To: Sjsnort
> > > Cc: Snort-Devel
> > > Subject: Re: [Snort-devel] Threaded snort
> > >
> > >
> > > I strongly suspect that snort v2 will support threading.  The
> > > main problem
> > > with that whole issue, though, is that the majority of the
> > > cost comes in
> > > acquiring the packets, and all of the packet acquisition
> > > mechanisms, from
> > > pcap to netfilter to divert, and strongly single-threaded.
> > > Until those
> > > interfaces, which are external to snort, are updated to be
> > > multi-threaded,
> > > or until other, threaded packet acquisition mechanisms 
> are built to
> > > replace them, then threading won't give you the huge 
> speedup that you
> > > would think that it would, unless you're just looking for 
> a speedup
> > > on output processing.  Of course, all output methods I know of are
> > > single-threaded, too, but hey, on a 2-way, that's one cpu 
> for packet
> > > acquisition and one cpu for reporting, with the actual 
> matching just
> > > sort of happening wherever it's convenient.  8^)
> > >
> > > While we're on the subject, I don't see good prospects of the
> > > netfilter
> > > guys making netfilter particularly fast anytime soon.  Anyone
> > > out there
> > > ever done any kernel hacking?  Let's pick a linux device 
> driver (I'm
> > > partial to the intel eepro100, since that's what's on my 
> box) and hack
> > > it up to allow snort to mmap the ethernet card's dma target,
> > > the receive
> > > buffer, directly.  Now that would let you be SMP and really fly.
> > >
> > > --
> > > Todd Lewis
> > > tlewis at ...255...
> > >
> > > On Thu, 14 Jun 2001, Sjsnort wrote:
> > >
> > > > Hi,
> > > >
> > > > In a recent discussion on the users list someone claimed
> > > that the developers
> > > > aren't planning thread snort in future versions also. Is it
> > > true? I thought
> > > > Snort 2.0 would be threaded.
> > > >
> > > > Siddhartha
> > > >
> > > >
> > > >
> > > > _________________________________________________________
> > > > Do You Yahoo!?
> > > > Get your free @yahoo.com address at http://mail.yahoo.com
> > > >
> > > >
> > > > _______________________________________________
> > > > Snort-devel mailing list
> > > > Snort-devel at lists.sourceforge.net
> > > > http://lists.sourceforge.net/lists/listinfo/snort-devel
> > > >
> > >
> > >
> > > _______________________________________________
> > > Snort-devel mailing list
> > > Snort-devel at lists.sourceforge.net
> > > http://lists.sourceforge.net/lists/listinfo/snort-devel
> > >
> 
> 
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
> 
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel
> 




More information about the Snort-devel mailing list