[Snort-devel] multithreaded snort

Dirk Geschke Dirk_Geschke at ...802...
Wed Jan 28 13:22:28 EST 2004


Hi Jost,

> I agree to Peters suggestion - putting support for different DBMS's
> in different output modules is in general a good idea. 
> This and running all DBMS's specific connect and insert stuff in 
> seperate threads would IMHO bring snort to the next level of useability.

I think this is not a good idea at all. How about changes in the 
code? Then you have to check all files for all databases? Who will
manage this? Or should be a maintainer for every database plugin?
Then the code will run off and you will never be able to find a
common line again. (Think of a redesign of the database and how to
implement this in the several codes...)

Further I don't think that it is a good idea to build threading
output plugins. I would strongly recommend to stick with one of
the existing solutions, either the unified output and barnyard/mudpit
or the unix socket approach used with FLoP.

If barnyard/mudpit/FLoP dies you can restart the service without
mayor problems. But if one output thread dies maybe due to a 
SIGSEGV then the whole snort process will die. Of course you
can restart snort but be aware on what you are loosing. All data
of the preprocessors are gone, the whole establish functionality
is gone and has to be rebuild and so on.

So finally: These ideas are not very helpful in my eyes...

Best regards

Dirk





More information about the Snort-devel mailing list