[Snort-devel] Threaded snort

Sjsnort sjsnort at ...398...
Thu Jun 14 14:44:25 EDT 2001


oh!! If multi-threading is planned for Snort 2.0, then i will happily and
patiently wait. :)

Siddhartha

----- Original Message -----
From: <agetchel at ...358...>
To: <sjsnort at ...398...>
Cc: <snort-devel at lists.sourceforge.net>
Sent: Friday, June 15, 2001 12:00 AM
Subject: RE: [Snort-devel] Threaded snort


> Hi Siddhartha,
> No one ever said there wasn't an advantage to having Snort threaded,
> it was just stated that it probably wasn't going to happen. =)  I think
> everyone agrees that threading Snort to allow it to take advantage of
> multiple processors would help performance, but the real question is can
> this be done without hurting the portability of the code?  The answer was
a
> resounding 'no'.  I think that the Snort developers are on the right track
> when it comes to releasing Snort 2.0 to have the _capability_ to be
> threaded, but I sure wouldn't want to be the one to manage all those
> different source trees... =)
>
> Thanks,
> Abe
>
> Abe L. Getchell - Security Engineer
> Division of System Support Services
> Kentucky Department of Education
> Voice   502-564-2020x225
> E-mail  agetchel at ...358...
> Web     http://www.kde.state.ky.us/
>
>
>
> > -----Original Message-----
> > From: Sjsnort [mailto:sjsnort at ...398...]
> > Sent: Thursday, June 14, 2001 1:29 PM
> > To: snort-devel at lists.sourceforge.net
> > Subject: Re: [Snort-devel] Threaded snort
> >
> >
> > Well, i didn't go to SANS but from my CPU utilizations i do
> > see a need for
> > multi-threaded snort. More so because i run snort on a
> > dual-processor Sun
> > box and even with a low bandwidth 5-6 Mbps snort easily runs
> > upto 60% usage
> > (Snort-1.8beta6 Build 25). Although, i know that in the
> > stable release bugs
> > would be fixed and CPU utilization may come down but the
> > point is that i
> > feel it is better to have single box (multi-processor) do as
> > much snorting
> > as it can before going to do things like split the traffic
> > between multiple
> > boxes (which by itself is a controversial topic)
> >
> > Anyway, here is how i think multi-threading can help. The way
> > i understand
> > it is that once the packet is captured by libpcap and stored in a data
> > structure, all other engines & preprocessors essentially only
> > read this data
> > structure  and generate there conclusions from what they see
> > in the data
> > structure. Given my assumption is right, couldn't all these
> > engines and
> > preprocessors which only read the captured packet be turned
> > into threads?
> > Also, output functions like those which write to files or
> > databases also be
> > run as threads (i remember marty saying somewhere that Snort
> > writing to
> > Mysql eats more CPU).
> >
> > Although, i am not much of a programmer but to maintain cross-platform
> > operatibility, couldn't snort have an option like OpenLDAP or
> > perl where you
> > can build them with or without threads support?
> >
> > I know mutli-threading involves a lot of careful redesigning
> > and re-writing
> > code but with OSs like Solaris, i think it would be worth it.
> >
> > Siddhartha
> >
> > ----- Original Message -----
> > From: <agetchel at ...358...>
> > To: <tlewis at ...255...>; <sjsnort at ...398...>
> > Cc: <snort-devel at lists.sourceforge.net>
> > Sent: Thursday, June 14, 2001 9:05 PM
> > Subject: RE: [Snort-devel] Threaded snort
> >
> >
> > > Hey guys,
> > > Correct me if I'm wrong, but Marty's comments at the SANS conference
> > > in Baltimore stated that Snort is not threaded (of course)
> > and will not be
> > > threaded to keep portability across all platforms that
> > Snort is being run
> > > on.  It was also discussed on this list, and the
> > conclusions were the
> > same.
> > >
> > > Thanks,
> > > Abe
> > >
> > > Abe L. Getchell - Security Engineer
> > > Division of System Support Services
> > > Kentucky Department of Education
> > > Voice   502-564-2020x225
> > > E-mail  agetchel at ...358...
> > > Web     http://www.kde.state.ky.us/
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: tlewis at ...255... [mailto:tlewis at ...255...]
> > > > Sent: Thursday, June 14, 2001 11:19 AM
> > > > To: Sjsnort
> > > > Cc: Snort-Devel
> > > > Subject: Re: [Snort-devel] Threaded snort
> > > >
> > > >
> > > > I strongly suspect that snort v2 will support threading.  The
> > > > main problem
> > > > with that whole issue, though, is that the majority of the
> > > > cost comes in
> > > > acquiring the packets, and all of the packet acquisition
> > > > mechanisms, from
> > > > pcap to netfilter to divert, and strongly single-threaded.
> > > > Until those
> > > > interfaces, which are external to snort, are updated to be
> > > > multi-threaded,
> > > > or until other, threaded packet acquisition mechanisms
> > are built to
> > > > replace them, then threading won't give you the huge
> > speedup that you
> > > > would think that it would, unless you're just looking for
> > a speedup
> > > > on output processing.  Of course, all output methods I know of are
> > > > single-threaded, too, but hey, on a 2-way, that's one cpu
> > for packet
> > > > acquisition and one cpu for reporting, with the actual
> > matching just
> > > > sort of happening wherever it's convenient.  8^)
> > > >
> > > > While we're on the subject, I don't see good prospects of the
> > > > netfilter
> > > > guys making netfilter particularly fast anytime soon.  Anyone
> > > > out there
> > > > ever done any kernel hacking?  Let's pick a linux device
> > driver (I'm
> > > > partial to the intel eepro100, since that's what's on my
> > box) and hack
> > > > it up to allow snort to mmap the ethernet card's dma target,
> > > > the receive
> > > > buffer, directly.  Now that would let you be SMP and really fly.
> > > >
> > > > --
> > > > Todd Lewis
> > > > tlewis at ...255...
> > > >
> > > > On Thu, 14 Jun 2001, Sjsnort wrote:
> > > >
> > > > > Hi,
> > > > >
> > > > > In a recent discussion on the users list someone claimed
> > > > that the developers
> > > > > aren't planning thread snort in future versions also. Is it
> > > > true? I thought
> > > > > Snort 2.0 would be threaded.
> > > > >
> > > > > Siddhartha
> > > > >
> > > > >
> > > > >
> > > > > _________________________________________________________
> > > > > Do You Yahoo!?
> > > > > Get your free @yahoo.com address at http://mail.yahoo.com
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Snort-devel mailing list
> > > > > Snort-devel at lists.sourceforge.net
> > > > > http://lists.sourceforge.net/lists/listinfo/snort-devel
> > > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Snort-devel mailing list
> > > > Snort-devel at lists.sourceforge.net
> > > > http://lists.sourceforge.net/lists/listinfo/snort-devel
> > > >
> >
> >
> > _________________________________________________________
> > Do You Yahoo!?
> > Get your free @yahoo.com address at http://mail.yahoo.com
> >
> >
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > http://lists.sourceforge.net/lists/listinfo/snort-devel
> >


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com





More information about the Snort-devel mailing list