[Snort-devel] multithreaded snort

Jost Kannegieser jost.kannegieser at ...2342...
Wed Jan 28 14:07:09 EST 2004


Hi Dirk

>I think this is not a good idea at all.
:-) 

>How about changes in the
>code? Then you have to check all files for all databases? Who will
>manage this? Or should be a maintainer for every database plugin?
>Then the code will run off and you will never be able to find a
>common line again. (Think of a redesign of the database and how to
>implement this in the several codes...)

I think the code will be much cleaner with an seperated approach -
have you taken a look at the #ifdefs Peter mentioned?

>Further I don't think that it is a good idea to build threading
>output plugins. I would strongly recommend to stick with one of
>the existing solutions, either the unified output and barnyard/mudpit
>or the unix socket approach used with FLoP.

Why not threading output plugins?

>If barnyard/mudpit/FLoP dies you can restart the service without
>mayor problems. But if one output thread dies maybe due to a
>SIGSEGV then the whole snort process will die. Of course you
>can restart snort but be aware on what you are loosing. All data
>of the preprocessors are gone, the whole establish functionality
>is gone and has to be rebuild and so on.

Here I agree with you, but this is a matter of writing good code.

>So finally: These ideas are not very helpful in my eyes...
:-)

Best regards

Jost





More information about the Snort-devel mailing list