[Snort-devel] Running pthread enabled snort?

Fyodor fygrave at ...1...
Fri Nov 23 15:59:02 EST 2001


> 
> this sounds like a good idea. So you have to run one main snort program
> for analysing and for each interface a forked snort just capturing the
> data?

No, snort will fork itself. Unless having separated binaries is more
desirable.

> > 
> > it will pick up packets, but what it'd be picking up, would be a
> > complete mess right now, since simultaneous threads would be just
> > working with numerous data-structures at the same time completely
> > screwing-up the whole process. :-) I'd say: it will cause unexpected
> > results in the current code :-) (I made the changes in snort down to the
> > interfaces initialisation part, and that's where I realised that libcap
> > is not re-enterant, and wouldn't work with threads.. I talked to libpcap
> > guys and they said that making libpcap being threads-safe was in plans,
> > but it looks like this thing is still just 'planning' :-)
> 
> Okay, I didn't realized that the libpcap is not thread-safe. I have the
> impression the development of the libpcap is very slow...

Well, if you noticed in the code, I placed the lock just at the point
where the data is coming from libpcap, and during my testings I still
had _very_ funky results. You were mentioned that with the statif fix
which you posted, you managed to get things working which actually
surprised me :-)

> > 
> > Doh? :-) what is shomiti? a hardware device? (triggers something in my
> > head, but can't remember now :-))
> 
> Yes, it is hardware. The minimal tap is like a mini hub with an uplink 
> to dedicated ports. So you can only read but not write via this link.
> It sounds like the best solution for stealth sniffing. But it is not
> cheap...
> 
>   http://www.finisar-systems.com/htdocssh/products/taps/index.html
> 

not cheap.. no wonder I never had a chance to play with it. :-) hax0ring
a linux box with some tapped t/p wires is a way cheaper from a
management point of view ;-)

> The problem is: If you want to mirror complete traffic you need two
> sniffing ethernet cards. One card for the traffic from host A -> B
> and one for the reverse direction B -> A. In full duplex mode both
> direction can send at maximum speed. So to catch all data you need
> two ethernet cards.

Hmmm.. dodgy.. why wouldn't it work over a single wire to a switch/hug
or something?





More information about the Snort-devel mailing list