[Snort-devel] more multithreaded stuff
Jack Whitsitt (jofny)
xaphan at ...2347...
Thu Jan 29 06:58:14 EST 2004
If I remember correctly (someone smack me if I'm wrong), but Snort is not
multithreaded due to cross-platform compatibility issues with threading. There was
some support for it early on and this has been removed.
Your best bet is probably to write any data you want to thread out via Unified or to
a Sock or to your own output-plugin or to _______. Once out of snort, have a
threaded listening application either do something with it and log it...or...in
cases where you want snort to look at it after it's been mangled..pass it back to
snort as a rebuilt packet (probably more work than it's worth, but possible).
I've done this using both Unified output and an output sock of sorts for my own
threaded needs and both have worked well.
> I was speaking with a co-worker yesterday and we were discussing the possibility
> of implementing a multithreaded design for preprocessing. If you could determine
> a hierarchy for the preprocessors that perhaps you could do some of the
> preprocessing in parallel. Any comments about the usefulness/feasibility of this?
> The SF.Net email is sponsored by EclipseCon 2004
> Premiere Conference on Open Tools Development and Integration
> See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
More information about the Snort-devel