[Snort-devel] thread variables/program variables

Michael Richardson Michael.Richardson at ...2449...
Fri Apr 2 09:54:02 EST 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi, I'm in the process of porting snort (likely, parts of snort) to an 
embedded platform. While it uses uClibc, the platform is otherwise a
single address space with non-preempting (cooperative) multitasking.

Naturally, there are multiple interfaces that we wish to watch, and like
a fellow that was trying to monitor two load-balanced network links, we
will actually see traffic coming/going in two seperate steams.

What I have done is to gather all of the globals that were in snort.c
and put them into a structure which I called "thread_variables" (TV *).
I then turned "program_variables" (PV *) from a global into something
which was contextualized. 

Most of the debugging/logging routines need access to "PV", so there is
apparently a lot of churn to get it to the places that need it. 

The intention is that each "thread" listens to a single data source,
while each "program" listens represents a single configuration. So, for
instance, if one had a box with four interfaces configured to listen to
two networks, with a xmit/recv pair for each network, then one would
have four "thread"s, with two "program"s.

So, for instance the global "RuleList" has become per-program. There are
other global lists which I have not yet dealt with. I am pretty sure
that the list of various plug-ins to be used will be per-program. 

On a Unix platform there is little reason at present not to run two
copies of snort in this situation. On an embedded system this could be
difficult. If the two sensor points were on two sides of a security
gateway, then perhaps in the future, people will write plugins that
corrolate traffic.

Many functions take Packet *p already and pass it around a lot. I have
added a "TV *tv;" member to the Packet. The allocation point for the
Packet p sets it. A lot of routines therefore have stuff like:

int NewScan(ScanList * scanList, Packet * p, ScanType scanType)
{
    TV *tv = p->tv;
    PV *pv = tv->pv;

...
    FatalError(pv, "something bad happened");


The changes/churn is extensive, but not that major. I have generated a
patch and applied it to HEAD checked out from SF.net. The patch is at:
      http://www.sandelman.ca/SSW/seaway/snort1.patch.gz

      patch -p0 it from "snort" directory.

the patch applies cleanly and compiles fine. I'm in the process of
testing it. If some wants, I could commit it directly, had I access.

I also stuck Emacs "Local-Variables" at the end to set the style. 
Some files had vim stuff as well. I chose "bsd" style with
"basic-offset" 4. That isn't quite perfect for the code. I'd be happy to
change them all if someone has better advice. The authors are clearly
vim users. I'm not for code, just config files. (No wars please)

Still TODO:

1) I have not touched DebugMessage() yet. I expect additional churn when
   I get to that part. 
   Probably debugging doesn't need to be per-thread/per-program.

2) many plugins have static variables/structures. They will need to be
   either per-thread or per-program.
   It is my intention to 
	

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Finger me for keys

iD8DBQFAbahk22r3dfT9QZERAoW1AJ9FfUWPVQ4RuCpNTnZWSl7pouTE5ACguUmA
kXfFgUwF7Gr8z0JWFXRVu3A=
=nnDe
-----END PGP SIGNATURE-----




More information about the Snort-devel mailing list