[Snort-devel] Multithreading in Snort?

Dirk Geschke dirk at ...972...
Sat Jan 12 06:17:44 EST 2008


Hi Ragho,

> I know this topic may have been visited before, but I'm looking for
> background on multithreading with Snort.  From the archives, it looks like
> this topic was discussed in 2002 and 2004 but without any significant
> detail.
> 
> Granted that this is a rookie question, what facets of Snort are MT
> "unsafe?"  If I can assure packet ordering on a per-flow basis such that a
> given flow always enters a given Snort thread, where is synchronization
> required among multiple calls to PcapProcessPacket()?  Can folks who have
> knowledge of Snort internals comment on specific considerations?

the biggest problem is the libpcap: It ist not thread safe.

So all threading could be done after the call to libpcap.

In principle the preprocessors could be threaded, the detection
engine and the output plugins. But some preprocessors require to
be called in right order. This won't be easily be threadable.

To get threadable preprocessors requires much work, stream5 won't
be happy if some packets are in an other thread...

So maybe you can start a thread after the preprocessors have done
their work, the main process can return to wait for new packets.

But I fear that this will not really make things better...

Best regards

Dirk

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.





More information about the Snort-devel mailing list