[Snort-devel] multithreaded snort

Dirk Geschke Dirk_Geschke at ...802...
Tue Jan 27 04:39:36 EST 2004


Hi Jost,

> If i got it right the snort output plugins are't multithreaded, witch
> make snort block if e.g. his database is not reachable.
> I know there are several projects trying to workaround this problem 
> (barnyard, FLoP ...) but they suffer from several disadvantages.
> 
> Now my question: are these output plugins planed to be redesinged as 
> seperate threads?

All you can create as thread within snort are the output-plugins.
So they would work parallel. But if one plugin is blocked the
whole snort process is blocked.

I guess you think of something similar in design like FLoP where
you want to put the detection engine in one thread and the output
in another thread. This may work but would require a lot of work
to be done. 

But what is wrong with the existing solutions like barnyard, mudpit,
FLoP,... 

I think all the existing solutions are better than any multithreaded
snort. Think of the same problem: How should for example snort handle
a gone database connection?

Best regards

Dirk





More information about the Snort-devel mailing list