[Snort-devel] Snort.org Blog: Snort 2.9.1 beta coming soon!
jesler at ...402...
Mon Jun 13 16:08:48 EDT 2011
On Jun 13, 2011, at 4:01 PM, Russ Combs wrote:
> Ok, I get why stream reassembly is theoretically more efficient in a
> single thread because of CPU caching, etc., but I don't understand why
> packets still have to wait in line for a u2 entry to be written. It
> seems like tossing output from the main thread into an async output
> thread would be pretty easy because you don't have to keep state and
> everything is one-way. For alerting, the volume is not an issue, but
> as more analysts use packet tagging and now HTTP logging, the strain
> on that single main thread is going to cause packet drops for some if
> they're not extremely careful. If I'm missing something, I'd be
> grateful for clarification.
> Agreed. I don't think this issue has reached a point where it is on our roadmap yet, but all the extra logging could lead to reevaluating sooner rather than later. Thanks for your comments.
We were just having a discussion on that this morning, so we'll keep it open. Thanks for your input. Let's us know that the community is concerned as well.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel