[Snort-devel] multithreaded snort

Peter_J_Moore at ...1684... Peter_J_Moore at ...1684...
Tue Jan 27 13:18:36 EST 2004

Apologies for the Lotus Notes formatting.

I think that each database "flavour" should have their own spo_xxxx.h file
(eg sp_postgresql.h) and all relevant database functions including state
and other connectivity issues should be maintained in that file.
IMHO there's a lot of #ifdef clutter in sp_database.c and it can be tedious
wading through them all. This would allow the easy addition of other
DBMS's like Sybase instead of having to go through and add in a myriad of
#ifdefs to get Sybase working in the current "format". (i got it working
btw, but thats another story)

I'd certainly be up for helping redesign this as i have DBA experience with
Sybase, Microsoft SQL Server, and PostgreSQL, and developed apps using
Oracle. I have access to PostgreSQL and Sybase at home (as well as MySQL if
necessary) and Oracle here at work. I can arrange access to MS SQL Server.


Peter Moore
Senior Technical Specialist
Distributed Services - Internet, Intranet & Infrastructure
National Australia Bank

|         |           Dirk Geschke                |
|         |           <Dirk_Geschke at ...802...>     |
|         |           Sent by:                    |
|         |           snort-devel-admin at ...1685...|
|         |           ceforge.net                 |
|         |                                       |
|         |                                       |
|         |           01/27/2004 11:33 PM         |
|         |                                       |
  |                                                                                                                              |
  |       To:       Jost Kannegieser <jost.kannegieser at ...2342...>                                                              |
  |       cc:       snort-devel at lists.sourceforge.net, Dirk_Geschke at ...802...                                                     |
  |       Subject:  Re: [Snort-devel] multithreaded snort                                                                        |

Hi Jost,

> If i got it right the snort output plugins are't multithreaded, witch
> make snort block if e.g. his database is not reachable.
> I know there are several projects trying to workaround this problem
> (barnyard, FLoP ...) but they suffer from several disadvantages.
> Now my question: are these output plugins planed to be redesinged as
> seperate threads?

All you can create as thread within snort are the output-plugins.
So they would work parallel. But if one plugin is blocked the
whole snort process is blocked.

I guess you think of something similar in design like FLoP where
you want to put the detection engine in one thread and the output
in another thread. This may work but would require a lot of work
to be done.

But what is wrong with the existing solutions like barnyard, mudpit,

I think all the existing solutions are better than any multithreaded
snort. Think of the same problem: How should for example snort handle
a gone database connection?

Best regards


The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
Snort-devel mailing list
Snort-devel at lists.sourceforge.net

More information about the Snort-devel mailing list