[Snort-devel] Running pthread enabled snort?

Fyodor fygrave at ...1...
Fri Nov 23 01:09:04 EST 2001


On Thu, Nov 22, 2001 at 10:43:51PM +0100, Dirk Geschke wrote:
> Hi all,
> 
> I tried to build snort with pthread enabled. The idea is to try running
> one instace of snort on more than one interface. The source code implies
> that this could be possible...

When what I started will be fixed, it looks like redesign is needed
though, cuz originally I wanted to have it running using 'a thread per
interface' model, which eventually wouldn't work with current libpcap
implementation (snort internals could be changed, it is not a big
problem).. so the solution is either to have libpcap fixed to make it
re-enterant, or to have a different design model (one idea is to have
shared memory segments and having packet-captruing engines being fork'ed
and reading the data per-interface, and passing it to shared-memory-mapped
segments to be read by snort. in this case no pthreads are needed, and
we solve the both portability (pthreads) and multiple interfaces issues
at the same time).

> After a long fight I got snort compiled with pthreads (I had to install
> the GNU Pth to get it compile without errors). Snort starts without
> problems but it seems to pick up no packets. 
> 

it will pick up packets, but what it'd be picking up, would be a
complete mess right now, since simultaneous threads would be just
working with numerous data-structures at the same time completely
screwing-up the whole process. :-) I'd say: it will cause unexpected
results in the current code :-) (I made the changes in snort down to the
interfaces initialisation part, and that's where I realised that libcap
is not re-enterant, and wouldn't work with threads.. I talked to libpcap
guys and they said that making libpcap being threads-safe was in plans,
but it looks like this thing is still just 'planning' :-)

> The background is: If I use a tool like a shomiti tap I need at least
> two ethernet cards to sniff the whole traffic, one for ingoing traffic
> and one for outgoing. Therefore it would be nice to catch all the 
> traffic with only one running snort...

Doh? :-) what is shomiti? a hardware device? (triggers something in my
head, but can't remember now :-))






More information about the Snort-devel mailing list