[Snort-devel] multithreaded snort

Kreimendahl, Chad J Chad.Kreimendahl at ...1167...
Wed Jan 28 07:50:44 EST 2004


I've started work on something similar, but have run out of time to work
on it anymore.  I've been calling it spo_rdbms.  Currently the only
module I've built to plug into spo_rdbms is spo_rdbms_oracle...  The
config works almost identical to current, but things like prepares and
binds are used as much as possible.

Along with this change, I've also redesigned the DB into two different
styles.  Both utilize sequences (for oracle), or however you want, put
it in your spo_rdbms_<DB>.   The first keeps the basic idea of
separation of the header tables ip/tcp/udp/icmp.   The second combines
all of these into one.   It also eliminates some things that become
erroneous when combining them, such as the ports....

The second one greatly outperforms the first when doing massive queries,
where in the old version you have to join 7 tables together, in the new
version this is 3.

Since the PK in everything is a sequence, 'sid' has been removed from
every table except the events table (and of course, the sensor table).

I'd be very interested in spending more of my time, or finding time to
work on this if there are people out there better in C than I.... I've
hit a roadblock in making some things using OCI work the way I want. 

-CJK

-----Original Message-----
From: Peter_J_Moore at ...1684...
[mailto:Peter_J_Moore at ...1684...] 
Sent: Tuesday, January 27, 2004 3:06 PM
To: Dirk Geschke
Cc: Dirk_Geschke at ...802...; Jost Kannegieser;
snort-devel at lists.sourceforge.net;
snort-devel-admin at lists.sourceforge.net
Subject: Re: [Snort-devel] multithreaded snort



Apologies for the Lotus Notes formatting.

I think that each database "flavour" should have their own spo_xxxx.h
file
(eg sp_postgresql.h) and all relevant database functions including state
and other connectivity issues should be maintained in that file.
IMHO there's a lot of #ifdef clutter in sp_database.c and it can be
tedious
wading through them all. This would allow the easy addition of other
DBMS's like Sybase instead of having to go through and add in a myriad
of
#ifdefs to get Sybase working in the current "format". (i got it working
btw, but thats another story)

I'd certainly be up for helping redesign this as i have DBA experience
with
Sybase, Microsoft SQL Server, and PostgreSQL, and developed apps using
Oracle. I have access to PostgreSQL and Sybase at home (as well as MySQL
if
necessary) and Oracle here at work. I can arrange access to MS SQL
Server.

cheers
peter


Peter Moore
Senior Technical Specialist
Distributed Services - Internet, Intranet & Infrastructure
National Australia Bank






|---------+--------------------------------------->
|         |           Dirk Geschke                |
|         |           <Dirk_Geschke at ...802...>     |
|         |           Sent by:                    |
|         |           snort-devel-admin at ...1685...|
|         |           ceforge.net                 |
|         |                                       |
|         |                                       |
|         |           01/27/2004 11:33 PM         |
|         |                                       |
|---------+--------------------------------------->
 
>-----------------------------------------------------------------------
-------------------------------------------------------|
  |
|
  |       To:       Jost Kannegieser <jost.kannegieser at ...2342...>
|
  |       cc:       snort-devel at lists.sourceforge.net,
Dirk_Geschke at ...802...
|
  |       Subject:  Re: [Snort-devel] multithreaded snort
|
 
>-----------------------------------------------------------------------
-------------------------------------------------------|




Hi Jost,

> If i got it right the snort output plugins are't multithreaded, witch
> make snort block if e.g. his database is not reachable.
> I know there are several projects trying to workaround this problem
> (barnyard, FLoP ...) but they suffer from several disadvantages.
>
> Now my question: are these output plugins planed to be redesinged as
> seperate threads?

All you can create as thread within snort are the output-plugins.
So they would work parallel. But if one plugin is blocked the
whole snort process is blocked.

I guess you think of something similar in design like FLoP where
you want to put the detection engine in one thread and the output
in another thread. This may work but would require a lot of work
to be done.

But what is wrong with the existing solutions like barnyard, mudpit,
FLoP,...

I think all the existing solutions are better than any multithreaded
snort. Think of the same problem: How should for example snort handle
a gone database connection?

Best regards

Dirk



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-devel mailing list
Snort-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel







-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-devel mailing list
Snort-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel




More information about the Snort-devel mailing list