[Snort-devel] Running pthread enabled snort?

Dirk Geschke Dirk_Geschke at ...802...
Fri Nov 23 02:01:04 EST 2001


Hi,

[snip]

> re-enterant, or to have a different design model (one idea is to have
> shared memory segments and having packet-captruing engines being fork'ed
> and reading the data per-interface, and passing it to shared-memory-mapped
> segments to be read by snort. in this case no pthreads are needed, and
> we solve the both portability (pthreads) and multiple interfaces issues
> at the same time).

this sounds like a good idea. So you have to run one main snort program
for analysing and for each interface a forked snort just capturing the
data?

> > After a long fight I got snort compiled with pthreads (I had to install
> > the GNU Pth to get it compile without errors). Snort starts without
> > problems but it seems to pick up no packets. 
> > 
> 
> it will pick up packets, but what it'd be picking up, would be a
> complete mess right now, since simultaneous threads would be just
> working with numerous data-structures at the same time completely
> screwing-up the whole process. :-) I'd say: it will cause unexpected
> results in the current code :-) (I made the changes in snort down to the
> interfaces initialisation part, and that's where I realised that libcap
> is not re-enterant, and wouldn't work with threads.. I talked to libpcap
> guys and they said that making libpcap being threads-safe was in plans,
> but it looks like this thing is still just 'planning' :-)

Okay, I didn't realized that the libpcap is not thread-safe. I have the
impression the development of the libpcap is very slow...

> > The background is: If I use a tool like a shomiti tap I need at least
> > two ethernet cards to sniff the whole traffic, one for ingoing traffic
> > and one for outgoing. Therefore it would be nice to catch all the 
> > traffic with only one running snort...
> 
> Doh? :-) what is shomiti? a hardware device? (triggers something in my
> head, but can't remember now :-))

Yes, it is hardware. The minimal tap is like a mini hub with an uplink 
to dedicated ports. So you can only read but not write via this link.
It sounds like the best solution for stealth sniffing. But it is not
cheap...

  http://www.finisar-systems.com/htdocssh/products/taps/index.html

The problem is: If you want to mirror complete traffic you need two
sniffing ethernet cards. One card for the traffic from host A -> B
and one for the reverse direction B -> A. In full duplex mode both
direction can send at maximum speed. So to catch all data you need
two ethernet cards.

With an uplink port on a switch you slow down the traffic but that
normally does not matter since most of the time you will only have 
huge traffic in one direction. With the tap you have no choice but
to use two NIC's for sniffing....

Best regards

Dirk Geschke

-- 
+------------------------------------------------------------+
| Dr. Dirk Geschke            | E-mail: geschke at ...802...     |
| Gesellschaft fuer Netzwerk  | Tel.  : +49-(0)-89-991950-31 |
| und Unix Administration mbH | Fax   : +49-(0)-89-991950-99 |
| 85551 Kirchheim / Germany   | Raeter Stra/3e 26            |
+------------------------------------------------------------+






More information about the Snort-devel mailing list